After you deploy an MCP cluster, you can renew your expired certificates or replace them by the endpoint certificates provided by a customer as required. When you renew a certificate, its key remains the same. When you replace a certificate, a new certificate key is added accordingly.
You can either push certificates from pillars or regenerate them as follows:
salt-minion
(signed by salt-master
)Certificates generated by salt-minion
can be renewed by the salt-minion
state. The renewal operation becomes available within 30 days before the
expiration date. This is controlled by the days_remaining
parameter of the
x509.certificate_managed
Salt state.
Refer to
Salt.states.x509
for details.
You can force renewal of certificates by removing old certificates
and running salt.minion.cert
state on each target node.