1. Home
  2. MCP Operations Guide
  3. SaltStack operations
  4. Replace the Salt Master keys
  5. Replace the Salt Master CA certificates

Replace the Salt Master CA certificates

Replace the Salt Master CA certificatesΒΆ

This section provides the instruction on how to replace the Salt Master CA certificates.

To replace the Salt Master CA certificates:

  1. Log in to the Salt Master node.

  2. Back up the running Salt configuration in case the rollback is required:

    tar cf /root/salt-backup.tar /etc/salt /etc/pki/ca/salt_master_ca/
gzip -9 /root/salt-backup.tar

  3. List all currently issued certificates.

    Currently, the index file for Salt Master CA does not exist. Therefore, you can list all certificates and find the latest ones using the salt_cert_list.py script:

    Note

    The script is available within Mirantis from the mcp-common-scripts GitHub repository.

    ./salt_cert_list.py

    Example of system response:

    /etc/pki/ca/salt_master_ca/certs/18:63:9E:A6:F3:7E:10:5F.crt (proxy, 10.20.30.10, horizon.multinode-ha.int)
/etc/pki/ca/salt_master_ca/certs/EB:51:7C:DF:CE:E7:90:52.crt (10.20.30.10, 10.20.30.10, *.10.20.30.10)
/etc/pki/ca/salt_master_ca/certs/15:DF:66:5C:8D:8B:CF:73.crt (internal_proxy, mdb01, mdb01.multinode-ha.int, 192.168.2.116, 192.168.2.115, 10.20.30.10)
/etc/pki/ca/salt_master_ca/certs/04:30:B0:7E:76:98:5C:CC.crt (rabbitmq_server, msg01, msg01.multinode-ha.int)
/etc/pki/ca/salt_master_ca/certs/26:16:E7:51:E4:44:B4:65.crt (mysql_server, 192.168.2.53, 192.168.2.50, dbs03, dbs03.multinode-ha.int)
/etc/pki/ca/salt_master_ca/certs/78:26:2F:6E:2E:FD:6A:42.crt (internal_proxy, ctl02, 192.168.2.12, 10.20.30.10, 192.168.2.10)
...

  4. Update classes/cluster/<cluster_name>/infra/config.yml with the required values for the Salt Master CA. For example:

    parameters:
  _param:
    salt_minion_ca_country: us
    salt_minion_ca_locality: New York
    salt_minion_ca_organization: Planet Express
    salt_minion_ca_days_valid_authority: 3650
    salt_minion_ca_days_valid_certificate: 365

  5. Replace the Salt Master CA certificates:

    rm -f /etc/pki/ca/salt_master_ca/ca*
salt-call state.sls salt.minion.ca -l debug

  6. Publish the Salt Master CA certificates as described in Publish CA certificates.

  7. Replace the certificates in your cloud environment according to the list of certificates obtained in the step 3 of this procedure as described in Manage certificates for the affected services.

updated: 2024-01-04 11:47