...
However, if the CA changes, you must follow some extra steps.
Step-by-step guide
...
- Get new certificate
- Check if the certificate chain has changed. If:
- Yes: Jump to step 3
- No: Jump to step 4
- The chain changed (this is if you are using a single cert)
- Add the new chain to the Agent Updater (do NOT replace the old chain!).
- Bake and sign agents
- Wait until all agents updated
- Jump to step 4
- Add the new chain to the Agent Updater (do NOT replace the old chain!).
- The chain did not change, or step 3 was done
- restrict Restrict Auto Updates to only 2 or 3 hosts, so if something goes wrong, you do not mess up everything
- deploy Deploy the new certificate to the Apache server
- check Check for the correct cert and chain by using a browser
- make Make sure Auto Update works for the test hosts
- if If the chain changed (see step 3), remove the old chain from the updater rule, bake & sign agents, and see if everything works with the test hosts
- remove Remove the restriction to the test hosts and update all agents.
- restrict Restrict Auto Updates to only 2 or 3 hosts, so if something goes wrong, you do not mess up everything
...
P.S. to step 3: As this article is written (v2.0.0p8), Checkmk cannot handle the chain correctly if it is contained in a single file. All certs (client, root, intermediate) must be added separately.
If you have everything in one .crt file, this is relatively easy: upload the file & save it, then copy the rule. Checkmk automatically converts the file to text, and now you can split the certificates at their "BEGIN/END Certificate" sections.
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...