...
However, if the CA changes, you must follow some extra steps.
Step-by-step guide
- Get new certificate
- Check if the certificate chain has changed. If:
- Yes: Jump to step 3
- No: Jump to step 4
- The chain changed
- Add the new chain to the Agent Updater (do NOT replace the old chain!).
- Bake and sign agents
- Wait until all agents updated
- Jump to step 4
- The chain did not change, or step 3 was done
- restrict Auto Updates to only 2 or 3 hosts, so if something goes wrong, you do not mess up everything
- deploy the new certificate to the Apache server
- check for the correct cert and chain by using a browser
- make sure Auto Update works for the test hosts
- if the chain changed (see step 3), remove the old chain from the updater rule, bake & sign agents, and see if everything works with the test hosts
- remove the restriction to the test hosts and update all agents.
| Note |
|---|
P.S. to step 3: As this article is written (v2.0.0p8), Checkmk cannot handle the chain correctly if it is contained in a single file. All certs (client, root, intermediate) must be added separately. If you have everything in one .crt file, this is relatively easy: upload the file & save it, then copy the rule. Checkmk automatically converts the file to text, and now you can split the certificates at their "BEGIN/END Certificate" sections. When done, delete the initial rule. |
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...