Reissuing internal CA certificates

Changed the storage location of the self-signed CA certificate and the certificate reissue mechanism.

The certificate is stored in the database. The previous method of reissuing internal certificates by deleting certificates from the Core file system and restarting the Core is no longer allowed and will cause the Core to fail to start. Until the certificate reissuing process is completed, new services may not be connected to the Core.

After reissuing the internal CA certificates in the SettingsGeneralReissue internal CA certificates section of the KUMA web interface, you must stop the services, delete the old certificates from service directories, and manually restart all services.

The Reissue internal CA certificates option is available only to a user with the General Administrator role.

The process of reissuing certificates for an individual service remains the same: in the KUMA web interface, in the Active services section, select the service, in the context menu, select Reset certificate, and delete the old certificate in the service installation directory. KUMA automatically generates a new certificate. You do not need to restart running services, the new certificate is applied automatically. A stopped service must be restarted to have the certificate applied.

To reissue internal CA certificates:

  1. In the KUMA web interface, go to the SettingsGeneral section, click Reissue internal CA certificates and read the displayed warning. If you decide to continue reissuing certificates, click Yes.

    As a result, the CA certificates for KUMA services and the CA certificate for ClickHouse are reissued. Next, you must stop the services, delete old certificates from the service installation directories, restart the Core, and restart the stopped services to apply the reissued certificates.

  2. Connect to the hosts where the collector, correlator, and event router services are deployed.
    1. Stop all services with the following command:

      sudo systemctl stop kuma-<collector/correlator/eventRouter>-<service ID>.service

    2. Delete the internal.cert and internal.key certificate files from the "/opt/kaspersky/kuma/<service type>/<service ID>/certificates" directories with the following command:

      sudo rm -f /opt/kaspersky/kuma/<service type>/<service ID>/certificates/internal.cert

      sudo rm -f /opt/kaspersky/kuma/<service type>/<service ID>/certificates/internal.key

  3. Connect to the hosts where storage services are deployed.
    1. Stop all storage services.

      sudo systemctl stop kuma-<storage>-<service ID>.service

    2. Delete the internal.cert and internal.key certificate files from the "/opt/kaspersky/kuma/storage/<ID service>/certificates" directories.

      sudo rm -f /opt/kaspersky/kuma/storage/<service ID>/certificates/internal.cert

      sudo rm -f /opt/kaspersky/kuma/storage/<service ID>/certificates/internal.key

  4. Delete all ClickHouse certificates from the "/opt/kaspersky/kuma/clickhouse/certificates" directory.

    sudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.cert

    sudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.key

  5. Connect to the hosts where agent services are deployed.
    1. Stop the services of Windows agents and Linux agents.
    2. Delete the internal.cert and internal.key certificate files from working directories of the agents.
  6. Start the Core to apply the new CA certificates.
    • For an "all-in-one" or distributed installation of KUMA, run the following command:

      sudo systemctl restart kuma-core-00000000-0000-0000-0000-000000000000.service

    • For KUMA in a high availability configuration, to restart the Core, run the following command on the primary controller:

      sudo k0s kubectl rollout restart deployment/core-deployment -n kuma

      You do not need to restart victoria-metrics.

      The Core must be restarted using the command because restarting the Core in the KUMA interface affects only the Core container and not the entire pod.

  7. Restart all services that were stopped during the procedure.

    sudo systemctl start kuma-<collector/correlator/eventRouter/storage>-<service ID>.service

  8. Restart victoria-metrics.

    sudo systemctl start kuma-victoria-metrics.service

Internal CA certificates are reissued and applied.

Page top