You can change a certificate validity period by managing the validity period of the signing policy, which is used for certificates generation and is set to 365 days by default.
Note
The procedure does not update the CA certificates and does not change the signing policy itself.
To change the certificate validity period:
Log in to the Salt Master node.
In classes/cluster/<cluster_name>/infra/config/init.yml
, specify the
following pillar:
parameters:
_param:
salt_minion_ca_days_valid_certificate: <required_value>
qemu_vnc_ca_days_valid_certificate: <required_value>
Apply the changes:
salt '*' saltutil.sync_all
salt -C 'I@salt:master' state.sls salt.minion.ca
salt -C 'I@salt:master' state.sls salt.minion
Remove the certificate you need to update.
Apply the following state:
salt -C '<target_node>' state.sls salt.minion.cert
Verify the end date of the updated certificate:
salt -C <taget_node> cmd.run 'openssl x509 -enddate -noout -in <path_to_cert>'