Replace the Salt Master keys

Replace the Salt Master keys

In case your Salt Master keys have been compromised, you can replace both Salt Master CA and RSA SSH keys. The replacement procedure of the Salt Master keys does not affect your cloud environment, only the Salt structure is updated.

Salt Master keys structure

File path

Description

/etc/salt/minion.d/_pki.conf

PKI configuration file pointing to the current Salt Master CA certificate path

/etc/pki/ca/salt_master_ca/

Catalog for the Salt Master CA certificate

/etc/pki/ca/salt_master_ca/ca.crt

Salt Master CA certificate

/etc/pki/ca/salt_master_ca/ca.key

Salt Master CA certificate key

/etc/pki/ca/salt_master_ca/certs

Catalog for the Salt minion certificates signed by the Salt Master CA certificate

/etc/pki/ca/salt_master_ca/certs/XX:XX:XX:XX:XX:XX:XX:XX.crt

Salt minion certificate signed by CA

  • /etc/salt/pki/minion/minion.pub

  • /etc/salt/pki/minion/minion.pem

  • /etc/salt/pki/minion/minion_master.pub

Salt Master SSH RSA private and public keys for Salt minion

  • /etc/salt/pki/master/master.pem

  • /etc/salt/pki/master/master.pub

Salt Master SSH RSA private and public keys for Salt Master

/etc/salt/pki/master/minions/ctl01.example.int

RSA SSH minion key for communication with Salt Master. Equals to /etc/salt/pki/minion/minion.pub