Regenerating the server self-signed SSL certificates v10

If the PEM backend database server certificates are near expiring, plan to regenerate the certificates and key files.

To replace the self-signed SSL certificates:

  1. Stop all running PEM agents, first on the server host and then on any monitored host.

    • On Linux:

      # Running as root
      systemctl stop pemagent
    • On Windows: Use the Services applet to stop the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. In the Services dialog box, select the service name, and select Stop the service.

  2. Back up the existing SSL certificates and keys:

    cd /var/lib/edb/as<x>/data
    mkdir certs
    mv server.* root.* ca_* certs/
  3. Use the openssl command to generate the ca_key.key file:

    openssl genrsa -out ca_key.key 4096 
  4. Move the ca_key.key file to the data directory of the backend server, and change the permissions:

    mv ca_key.key /var/lib/edb/as<x>/data
    chmod 600 /var/lib/edb/as<x>/data/ca_key.key
  5. Use ca_key.key to generate the ca_certificate.crt file:

    openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout ca_key.key -out ca_certificate.crt
  6. Change the permissions of the ca_certificate.crt file:

    chmod 600 /var/lib/edb/as<x>/data/ca_certificate.crt
  7. Reuse the ca_certificate.crt file as the root.crt file:

    cp /var/lib/edb/as<x>/data/ca_certificate.crt /var/lib/edb/as<x>/data/root.crt
  8. Change the owner and permissions on the root.crt file:

    chown enterprisedb /var/lib/edb/as<x>/data/root.crt
    chmod 600 /var/lib/edb/as<x>/data/root.crt
  9. Use the openssl_rsa_generate_crl() function to create the certificate revocation list root.crl:

    psql -U enterprisedb -d pem --no-psqlrc -t -A -c
    "SELECT openssl_rsa_generate_crl('/var/lib/edb/as<x>/data/ca_certificate.crt', '/var/lib/edb/as<x>/data/ca_key.key')" > /var/lib/edb/as<x>/data/root.crl
  10. Change the ownership and permissions of the root.crl file:

    chown enterprisedb /var/lib/edb/as<x>/data/root.crl
    chmod 600 /var/lib/edb/as<x>/data/root.crl
  11. Use the openssl command to generate the server.key file:

    openssl genrsa -out server.key 4096 
  12. Move the server.key to the data directory of the backend server, and change the ownership and permissions:

    mv server.key /var/lib/edb/as<x>/data
    chown enterprisedb /var/lib/edb/as<x>/data/server.key
    chmod 600 /var/lib/edb/as<x>/data/server.key
  13. Use the openssl req command to create the CSR:

    openssl req -new -key server.key -out server.csr -subj '/C=IN/ST=MH/L=Pune/O=EDB/CN=PEM'

    Where -subj is provided as per your requirements. You define CN asthe hostname/domain name of the PEM server host.

  14. Use the openssl x509 command to sign the CSR and generate a server certificate. Move the server.crt to the data directory of the backend database server:

    openssl x509 -req -days 365 -in server.csr -CA ca_certificate.crt -CAkey ca_key.key -CAcreateserial -out server.crt
    mv server.crt /var/lib/edb/as<x>/data

    Where -req indicates the input is a CSR. The -CA and -CAkey options specify the root certificate and private key to use for signing the CSR.

  15. Change the owner and the permissions on the server.crt file:

    chown enterprisedb /var/lib/edb/as<x>/data/server.crt
    chmod 600 /var/lib/edb/as<x>/data/server.crt
  16. Restart the PEM server:

    systemctl restart edb-as-<x>

    Restarting the backend database server restarts the PEM server.

  17. Regenerate each PEM agent's self-signed SSL certificates. For more information, see Regenerating agent SSL certificates.