Regenerating the server self-signed SSL certificates v10
If the PEM backend database server certificates are near expiring, plan to regenerate the certificates and key files.
To replace the self-signed SSL certificates:
Stop all running PEM agents, first on the server host and then on any monitored host.
On Linux:
On Windows: Use the Services applet to stop the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. In the Services dialog box, select the service name, and select Stop the service.
Back up the existing SSL certificates and keys:
Use the
openssl
command to generate theca_key.key
file:Move the
ca_key.key
file to the data directory of the backend server, and change the permissions:Use
ca_key.key
to generate theca_certificate.crt
file:Change the permissions of the
ca_certificate.crt
file:Reuse the
ca_certificate.crt
file as theroot.crt
file:Change the owner and permissions on the
root.crt
file:Use the
openssl_rsa_generate_crl()
function to create the certificate revocation listroot.crl
:Change the ownership and permissions of the
root.crl
file:Use the
openssl
command to generate theserver.key
file:Move the
server.key
to the data directory of the backend server, and change the ownership and permissions:Use the
openssl req
command to create the CSR:Where
-subj
is provided as per your requirements. You defineCN
asthe hostname/domain name of the PEM server host.Use the
openssl x509
command to sign the CSR and generate a server certificate. Move theserver.crt
to the data directory of the backend database server:Where
-req
indicates the input is a CSR. The-CA
and-CAkey
options specify the root certificate and private key to use for signing the CSR.Change the owner and the permissions on the
server.crt
file:Restart the PEM server:
Restarting the backend database server restarts the PEM server.
Regenerate each PEM agent's self-signed SSL certificates. For more information, see Regenerating agent SSL certificates.