Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

How to Renew Certificates for CSO Components

You can renew or view the certificates of CSO components by using the manage_certificate.sh script.

Note:

Actual output might vary from the sample output shown based on your deployment scenario.

  1. Log in to the startupserver1 VM as root user.

  2. Navigate to the CSO directory in the startupserver1 VM.

    For example:

  3. Run the manage_certificate.sh script to check the status or renew the certificates of the CSO components.

    Note:

    To check the options that you can use with the manage_certificate.sh script, enter manage_certificate.sh -h or manage_certificate.sh --help.

  4. You can choose to perform any of the following tasks:

How to View the Certificate Expiry Dates

To list all the certificates and their expiry dates, type 0 at the prompt and press Enter. You can also view the same output by using ./manage_certificate.sh -c or ./manage_certificate.sh --check.

How to Schedule a Cron Job

To schedule a cron job:

  1. To schedule a cron job for e-mail notifications about certificate expiry, type 1 at the prompt and press Enter. We recommend that you configure the SMTP server information in the /usr/local/etc/smtp_server_details.json file before proceeding to schedule the cron job.

    You can also schedule a cron job by using ./manage_certificate.sh -n or ./manage_certificate.sh --notify.

    • If you did not configure an SMTP server, type n and press Enter.

      Configure the SMTP server and run the manage_certificate.sh again to schedule the cron job.

    • If an SMTP server is configured, type y and press Enter.

      Select any of the options available. You can choose to list all the cron jobs, create a new cron job, or delete a cron job.

  2. To create a cron job, type 2 at the prompt and press Enter.

    Define a schedule for the cron job using the format * * * * *, which is a set of five values (that is Minute, Hour, Day of the Month, Month, and Day of the Week) in a line separated by spaces. Here are a few sample schedules:

    • Every hour: 0 * * * *
    • Every Monday at 10 PM: 0 22 * * 1

    The e-mail notification contains information such as component name, certificate expiry date, number of days left for certificate expiry, and status of the certificate.

  3. To delete a cron job, type 3 at the prompt and press Enter.

    At the prompt, copy and paste the cron schedule that you want to delete and press Enter.

How to Renew a Certificate

You can renew a certificate only if its status is Expired or About to Expire.

Note:

You can renew only self-signed certificates. Third-party certificates cannot be renewed.
At the prompt that appears when you run the manage_certificate.sh script, type the number representing the component for which you want to renew the certificate and press Enter.

The system checks the status of the certificate:

  • If the status is Expired or About to Expire, then the certificate renewal process is initiated. After the certificate renewal, the system performs a health check.
    Note:

    When HA proxy certificate is renewed, the telemetry agent certificate for all devices provisioned on CSO is automatically renewed.

    If HA proxy certificate is renewed and if the telemetry agent renewal cannot be completed due to a failure, then you can renew the telemetry agent certificate separately. Run the manage_certificate.sh script and provide the number corresponding to the Telemetry Agent (3 in the sample output) to renew the certificate.

  • If the status is Not Expired, then the certificate is not renewed.

    Sample output if the status of a certificate is Not Expired: