Regenerating the agent self-signed SSL certificates v10
You need to regenerate the agent certificates and key files:
- If the PEM server certificates are regenerated
- If the PEM agent certificates are near expiring
You must regenerate a certificate and a key for each agent interacting with the PEM server and copy it to the agent.
Each agent has a unique identifier that's stored in the pem.agent table of the pem database. You must replace the certificate and key files with the certificate or key files that corresponds to the agent's identifier.
Prerequisites:
- PEM server has self-signed certificates.
ca_certificate.crt
andca_key.key
are in the data directory of the PEM backend database server.ca_certificate.crt
is the same asroot.crt
.ca_certificate.crt
andca_key.key
are valid SSL certificates and keys.
To generate a PEM agent certificate and key file pair:
Use psql to find the number of agents and their corresponding identifiers:
Stop all the running PEM agents:
On Windows, use the Services applet to stop the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. In the Services dialog box, select the service name, and select Stop the service.
After identifying the agents that need key files, generate an
agent.key
for each agent:Where
ID
is the agent identifier.Generate a certificate signing request (CSR) for each agent:
Where
CN
is theagent<ID>
.Use the
openssl x509
command to sign the CSR and generate an agent certificate:Where
-req
indicates the input is a CSR. The-CA
and-CAkey
options specify the root certificate and private key to use for signing the CSR.Before generating the next certificate and key file pair, move the
agent.key
andagent.crt
files generated in the steps 2 and 4 on their respective PEM agent host.Change the permission on the new
agent<ID>.crt
andagent<ID>.key
file:Back up the old agent certificate and key files:
Replace each agent's certificate and key file with the newly generated files:
Start the PEM agent service.
On Linux:
On Windows: Use the Services applet to start the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. In the Services dialog box, select the service name, and select Start the service.