Replacing the SSL certificate of a cluster node
23 May 2024
ID 234129
To replace the SSL certificate of a cluster node:
- Connect to the cluster node over SSH to gain access to the Technical Support Mode.
- Place the certificate file (cert.pem) and the private key file (key.pem) in the /root directory.
- Change to the web server config files directory:
cd /var/opt/kaspersky/ksmg/certs
- Create backup copies of the current certificate and private key:
cp -p webapi.crt webapi.crt.backup
cp -p webapi.key webapi.key.backup
cp -p dhparam.pem dhparam.pem.backup
- Replace the contents of the certificate and private key files:
cat /root/cert.pem > webapi.crt
cat /root/key.pem > webapi.key
- Generate DH parameters:
openssl dhparam -out dhparam.pem 4096
Generating DH parameters may take 10 to 20 minutes. Wait for the operation to finish.
- Configure access permissions for the modified files using the following commands:
chown root:root webapi.crt
chmod 644 webapi.crt
chown kluser:root webapi.key
chmod 600 webapi.key
chown root:root dhparam.pem
chmod 644 dhparam.pem
- Restart the nginx service:
systemctl restart nginx
- Check the status of the nginx service:
systemctl status nginx
The service must have the running status.
- Open the web interface of the cluster node in the browser. If the certificate was successfully replaced, the insecure connection warning is not displayed.
- If the replacement was successful, delete the original certificate and private key files from the /root directory:
rm -f /root/cert.pem /root/key.pem
The SSL certificate of the cluster node is replaced. If you want to replace certificates on multiple cluster nodes, you must follow the step-by-step instruction on each node.