Replacing the SSL certificate of a cluster node

To replace the SSL certificate of a cluster node:

1. Connect to the cluster node over SSH to gain access to the Technical Support Mode.
2. Place the certificate file (cert.pem) and the private key file (key.pem) in the /root directory.
3. Change to the web server config files directory:

   cd /var/opt/kaspersky/ksmg/certs

4. Create backup copies of the current certificate and private key:

   cp -p webapi.crt webapi.crt.backup

   cp -p webapi.key webapi.key.backup

   cp -p dhparam.pem dhparam.pem.backup

5. Replace the contents of the certificate and private key files:

   cat /root/cert.pem > webapi.crt

   cat /root/key.pem > webapi.key

6. Generate DH parameters:

   openssl dhparam -out dhparam.pem 4096

   Generating DH parameters may take 10 to 20 minutes. Wait for the operation to finish.

7. Configure access permissions for the modified files using the following commands:

   chown root:root webapi.crt

   chmod 644 webapi.crt

   chown kluser:root webapi.key

   chmod 600 webapi.key

   chown root:root dhparam.pem

   chmod 644 dhparam.pem

8. Restart the nginx service:

   systemctl restart nginx

9. Check the status of the nginx service:

   systemctl status nginx

   The service must have the running status.

10. Open the web interface of the cluster node in the browser. If the certificate was successfully replaced, the insecure connection warning is not displayed.
11. If the replacement was successful, delete the original certificate and private key files from the /root directory:

    rm -f /root/cert.pem /root/key.pem

The SSL certificate of the cluster node is replaced. If you want to replace certificates on multiple cluster nodes, you must follow the step-by-step instruction on each node.