certificates

The cfy certificates commands handle certificates’ maintenance procedures.

Commands

Replacing Certificates

Certificates are used by Cloudify for TLS based secure communication between the different Cloudify components and between the user interface and the Cloudify manager. Certificates are set during the initial deployment of the Cloudify management (cluster or all-in-one), but later maintenance and replacement of the certificates may be required as a result of regulatory compliance demand, certificate expiration, or revocation due to security breach. Follow this procedure when certificate replacement is required:

  1. Generate the replace-certificates configuration file using cfy certificates generate-replace-config. This file should be filled with the new certificates’ paths.
  2. Replace the certificates using cfy certificates replace. This command uses the filled configuration file from the previous step.

generate-replace-config

Usage

cfy certificates generate-replace-config

Generates the replace-certificates configuration file. Please fill in the generated file with the new certificates’ paths and save it.

Optional flags:
Example
$ cfy certificates generate-replace-config
...

The certificates replacement configuration file was saved to certificates_replacement_config.yaml

...

replace

Usage

cfy certificates replace

This command will replace the certificates on your all-in-one manager or management cluster, whichever you are currently using. It uses the filled configuration file in order to get the new certificates’ paths.
At the end of the process, the old certificates are saved at the same directory as the new ones (/etc/cloudify/ssl/) with a timestamp attached to their name.

Optional flags:
Example
$ cfy certificates replace
...

Validating replace-certificates config file... 
Validating status is healthy 
Validating certificates on host <host-ip>  
Validating certificates on host <host-ip>  

Replacing certificates...
Passing CA certs to agents    
Replacing certificates on host <host-ip>  
Replacing certificates on host <host-ip>  
Passing CA certs to agents

Validating status is healthy
Successfully replaced certificates  

...