Managing Expired Keys and Certificates

Self-signed and CA-signed certificates both follow secure rules for expiration, and the expiration of these public keys and certificates impact ISR functionality if left unchecked.

Checking the Expiration Dates of ISR Keys

The following sections describe how to check the expiration dates of current certificates on each component host.

RSS

To check the expiration dates for RSS certificates, on the RSS host, execute the following commands and note the expiration dates in the output.

  • RSS Java API 
    $ keytool -v -printcert -file /opt/isr/security/keys/israpi-public.key | grep Valid
  • Recorder and Converter webservices 
    $ keytool -v -list -keystore /opt/isr/security/keys/tomcat.keystore | grep -A 8 israpi-key | grep Valid

Dashboard

To check the expiration dates for Dashboard certificates, on the Dashboard host, execute the following command and note the expiration date in the output. 
$ keytool -v -printcert -file /opt/isr/security/keys/puma.crt | grep Valid

FACE

To check the expiration dates for FACE certificates, on the FACE host, execute the following commands and note the expiration dates in the output. 

$ keytool -v -list -keystore /opt/isr/security/keys/tomcat.keystore | grep -A 8 face-key | grep Valid

Updating Expiring Self-Signed Keys

The following sections describe how to update expiring self-signed keys on each component host.

Expiring RSS Certificate

The following instructions describe how to update an expiring RSS certificate.

  1. On the RSS host, move keys to an archive directory. 
    $ mkdir /opt/isr/security/keys/old
$ mv /opt/isr/security/keys/rss_*.pem /opt/isr/security/keys/old
$ mv /opt/isr/security/keys/*public.key* /opt/isr/security/keys/old
  2. Run the configIsr.sh script to regenerate the keys. 
    $ sudo /opt/isr/configIsr.sh
    • Hit <Enter> and choose yes at the following prompt: 
      Now Generating RSS key and certificate files. If you have not already configured the RSS data network IP address, please skip this key generation, configure networking and run the configuration option 'm' again.
Hit <Enter> when ready.
Continue generating key and certificate files: [yes]
    • Follow the configIsr script prompts closely.
  3. On the Dashboard host, import the new keys. 
    $ sudo /opt/isr/configIsr.sh
    • Choose the 'k' option to "Manage ISR keys".
    • Choose the 'r' option to "Import keys from an RSS".
    • Follow the script's instructions closely.
  4. On the FACE host, import the new keys. 
    $ sudo /opt/isr/configIsr.sh
    • Choose the 'k' option to "Manage ISR keys".
    • Choose the 'r' option to "Import keys from an RSS".
    • Follow the script's instructions closely.
    • Allow the export of the FACE key to the RSS to fail.

Expiring Dashboard Certificate

The following instructions describe how to update an expiring Dashboard certificate.

  1. On the Dashboard host, move keys to an archive directory. 
    $ mkdir /opt/isr/security/keys/old
$ mv /opt/isr/security/keys/server.* /opt/isr/security/keys/old/
$ mv /opt/isr/security/keys/puma.crt /opt/isr/security/keys/old/
  2. Run the configIsr.sh script to regenerate the keys. 
    $ sudo /opt/isr/configIsr.sh
    • Hit <Enter> and choose yes at the following prompt: 
      Generating Private Key. Please enter a new key password when prompted. Please do not lose this password as it will be required throughout the installation process.
Hit <Enter> when ready.
Continue generating key and certificate files: [yes]
    • Follow the configIsr script prompts closely.

Expiring FACE Certificate

The following instructions describe how to update an expiring FACE certificate.

  1. On the FACE host, move keys to an archive directory. 
    $ mkdir /opt/isr/security/keys/old
$ mv /opt/isr/security/keys/*.* /opt/isr/security/keys/old/
  2. Run the configIsr.sh script to regenerate the keys. 
    $ sudo /opt/isr/configIsr.sh
    • Hit <Enter> and choose yes at the following prompt: 
      Now Generating RSS key and certificate files. If you have not already configured the RSS data network IP address, please skip this key generation, configure networking and run the configuration option 'm' again.
Hit <Enter> when ready.
Continue generating key and certificate files: [yes]
    • Follow the configIsr script prompts closely.
  3. On the RSS host(s), remove the FACE public key from the keystore. Execute the following command and note the alias name. 
    $ keytool -v -list -keystore /opt/isr/security/keys/tomcat.keystore | grep face
$ sudo keytool -delete -alias face-key-<e.g. 10.10.20.30> -keystore /opt/isr/security/keys/tomcat.keystore
  4. On the FACE host, import the RSS keys and export the new FACE key. 
    $ sudo /opt/isr/configIsr.sh
    • Choose the 'k' option to "Manage ISR keys".
    • Choose the 'r' option to "Import keys from an RSS".
    • Follow the script's instructions closely.
  5. Copy the original private key back into the keys directory. 
    $ sudo cp /opt/isr/security/keys/old/isr.key /opt/isr/security/keys/
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents