In case your Salt Master keys have been compromised, you can replace both Salt Master CA and RSA SSH keys. The replacement procedure of the Salt Master keys does not affect your cloud environment, only the Salt structure is updated.
File path | Description |
---|---|
/etc/salt/minion.d/_pki.conf |
PKI configuration file pointing to the current Salt Master CA certificate path |
/etc/pki/ca/salt_master_ca/ |
Catalog for the Salt Master CA certificate |
/etc/pki/ca/salt_master_ca/ca.crt |
Salt Master CA certificate |
/etc/pki/ca/salt_master_ca/ca.key |
Salt Master CA certificate key |
/etc/pki/ca/salt_master_ca/certs |
Catalog for the Salt minion certificates signed by the Salt Master CA certificate |
/etc/pki/ca/salt_master_ca/certs/XX:XX:XX:XX:XX:XX:XX:XX.crt |
Salt minion certificate signed by CA |
|
Salt Master SSH RSA private and public keys for Salt minion |
|
Salt Master SSH RSA private and public keys for Salt Master |
/etc/salt/pki/master/minions/ctl01.example.int |
RSA SSH minion key for communication with Salt Master. Equals to
/etc/salt/pki/minion/minion.pub |