Certificate maintenance
When client or server certificates expire, they need to be renewed.
Renew server certificates
Use the same commands that were used to create the initial key/certs:
xbusd key generate
xbusd cert generate server-ca [ --host-defs <server names/ips> ]
xbusd cert generate client-ca
Restart xbusd
After doing so, all the client certificates _must_ be renewed.
Renew client certificate
Reset the cert
The client certificate renewal must be initiated server-side, with xbusctl
(or directly xbusd
if no xbusctl can connect):
xbusctl account reset-cert <account name or id>
After running this command, the account state is back to PENDING
, and both
its certificate and CSR are reset.
Renew the CSR
The client utility (xbus-client
or xbusctl
) can now provide a new CSR,
and optionnaly renew its private key:
xbus-client renew-cert [ --newkey ]
Accept the new CSR
The administrator now has to accept the account to generate a new certificate:
xbusctl account accept <account name or id>
Install the new certificate
Finalize the operation by fetching and install the new certificate:
xbus-client register