Step 1: Backup your CKS
Before doing any work on your CKS installation it is recommended to perform a full backup of all directories and files.
Commands:
cd /var/virtru
mkdir backup
cd backup
cp -r /var/virtru/cks
Step 2: Stop your running CKS
You will need to stop the running Docker containers before updating anything. If running multiple CKS servers, take one out of the load balancer before stopping.
Commands:
cd /var/virtru/cks
docker-compose down
Step 3: Update the SSL certificate
If you already have a renewed certificate bundle skip to Step 4. If you need to generate a certificate request you can run the following commands and then send the .csr to your certificate authority. They should return a new certificate bundle which you will turn into a .pem file in the next step.
Commands
cd /var/virtru/cks/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout cks.example.com.key -out cks.example.com.csr
Step 4: Convert your certificate bundle to PEM format
The CKS requires an SSL certificate to be inside the /var/virtru/cks/ssl folder and be in .pem format. Most certificate authorities will send you a bundle containing the certificate and one or more intermediate certificates.
Note: the order of certs in the ssl.pem matters. The certificate for your CKS FQDN must be before the intermediate certificates for your CA.
To convert the contents of the bundle to a .pem file first copy the bundle into the ssl folder and execute the following:
Commands:
cd /var/virtru/cks/ssl
cat [path-to-private-key] [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-intermediate-cert-N] > ssl.pem
Step 5: Start the CKS Containers
Now that the new .pem file is inside the ssl folder you can turn the CKS back on.
Commands:
cd /var/virtru/cks
docker-compose up -d
Step 6: Check the Logs
Checking the logs for the absence of any errors is important. Also make sure that the 3 Docker containers start up and run and do not continue to restart. Continuing to restart is an indication of a problem.
Commands:
cd /var/virtru/cks
docker-compose logs -f
Step 7: Additional Testing Steps
Once the container is up, validate the response.
Commands:
curl https://cks.example.com/status
Using a browser, navigate to the /status endpoint and observe the updated date on the certificate.
Commands:
https://cks.example.com/status