1. Unified Inventory and Topology Deployment Guide
  2. Managing Certificate Expiry

D Managing Certificate Expiry

Oracle provides utility scripts to analyze the certificates used by ATA, MB, Authorization, and SmartSearch services. You can renew the expired certificates using this script. You must follow the prerequisites and post-requisites for this script.

The guidelines for using the utility script are:

  • If you are using SSL TERMINATE at ingress for ATA, Authorization, Message Bus, and SmartSearch services. You can run this script with appropriate arguments and renew or verify the expiry of certificates for the services one after the other or all together.
  • If Ingress listener is enabled for Message Bus, you can use this script to renew the certificate of message bus.
  • This script also supports renewal of certificates for any egress communication. If your IDP certificate is expired, you can replace or add a new certificate to the truststore of all services using this script.

Prerequisites

Here are the prerequisites:

  • You should have a new SSL certificates that needs to be imported.
  • All services must be running over SSL Terminate at ingress, except the message bus.

Renewing Ingress Certificates

To renew the ingress certificates:

  1. Run the following to verify ingress certificates:
    $COMMON_CNTK/scripts/manage-certificates.sh -p project -i instance -c verify -t ingress

    This command shows the validity for all ingress certificates for all services. You can use -a <servicename> option in the above command to verify certificates for any particular service.

  2. Run the following command to renew ingress certificates:
    $COMMON_CNTK/scripts/manage-certificates.sh -p project -i instance -c import -t ingress

    This command prompts for the certificate and key inputs. You should provide new certificates and then all ingress certificates will be renewed. You can also use -a <servicename> option to renew certificates for any particular service.

Import Egress Certificates

To import egress certificates:

  1. Run the following command to verify egress certificates:
    $COMMON_CNTK/scripts/manage-certificates.sh -p project -i instance -c verify -t egress

    This command shows the validity for all egress certificates from the truststore of all services.

  2. Run the following command to renew egress certificates:
    $COMMON_CNTK/scripts/manage-certificates.sh -p project -i instance -c import -t egress

    This command prompts for the certificate and alias name inputs. You should provide the new certificate along with alias to store the certificate.

    Note:

    • If the provided alias name already exists, the older certificates will be overridden by the new certificate. Therefore, if you want to retain the old certificate, provide a new alias name.
    • To perform any egress operation for smart search service, you should run the above command separately by providing the -a smartsearch option.

Postrequisites

Following are the postrequisites:

  • If you have imported egress certificates for any application, make sure you restart it.

  • In case of message bus ingress certificate renewal, you must restart message bus to get changes reflected.

  • After the renewal of ingress certificates, make sure that you have imported the new certificates into the client's trust.