Reissuing internal CA certificates
Changed the storage location of the self-signed CA certificate and the certificate reissue mechanism.
The certificate is stored in the database. The previous method of reissuing internal certificates by deleting certificates from the Core file system and restarting the Core is no longer allowed and will cause the Core to fail to start. Until the certificate reissuing process is completed, new services may not be connected to the Core.
After reissuing the internal CA certificates in the Settings → General → Reissue internal CA certificates section of the KUMA web interface, you must stop the services, delete the old certificates from service directories, and manually restart all services.
The Reissue internal CA certificates option is available only to a user with the General Administrator role.
The process of reissuing certificates for an individual service remains the same: in the KUMA web interface, in the Active services section, select the service, in the context menu, select Reset certificate, and delete the old certificate in the service installation directory. KUMA automatically generates a new certificate. You do not need to restart running services, the new certificate is applied automatically. A stopped service must be restarted to have the certificate applied.
To reissue internal CA certificates:
- In the KUMA web interface, go to the Settings → General section, click Reissue internal CA certificates and read the displayed warning. If you decide to continue reissuing certificates, click Yes.
As a result, the CA certificates for KUMA services and the CA certificate for ClickHouse are reissued. Next, you must stop the services, delete old certificates from the service installation directories, restart the Core, and restart the stopped services to apply the reissued certificates.
- Connect to the hosts where the collector, correlator, and event router services are deployed.
- Stop all services with the following command:
sudo systemctl stop kuma-<collector/correlator/eventRouter>-<service ID>.service - Delete the internal.cert and internal.key certificate files from the "/opt/kaspersky/kuma/<
service type>/<service ID>/certificates" directories with the following command:sudo rm -f /opt/kaspersky/kuma/<service type>/<service ID>/certificates/internal.certsudo rm -f /opt/kaspersky/kuma/<service type>/<service ID>/certificates/internal.key
- Stop all services with the following command:
- Connect to the hosts where storage services are deployed.
- Stop all storage services.
sudo systemctl stop kuma-<storage>-<service ID>.service - Delete the internal.cert and internal.key certificate files from the "/opt/kaspersky/kuma/storage/<
ID service>/certificates" directories.sudo rm -f /opt/kaspersky/kuma/storage/<service ID>/certificates/internal.certsudo rm -f /opt/kaspersky/kuma/storage/<service ID>/certificates/internal.key
- Stop all storage services.
- Delete all ClickHouse certificates from the "/opt/kaspersky/kuma/clickhouse/certificates" directory.
sudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.certsudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.key - Connect to the hosts where agent services are deployed.
- Stop the services of Windows agents and Linux agents.
- Delete the internal.cert and internal.key certificate files from working directories of the agents.
sudo /opt/kaspersky/kuma/kuma agent --core https://kuma.example.com:7210 -<agent ID> --wd /opt/kaspersky/kuma/agent/<agent ID>
- Restart the Core to apply the new CA certificates.
sudo systemctl restart kuma-core-00000000-0000-0000-0000-000000000000.service - Restart all services that were stopped during the procedure.
sudo systemctl start kuma-<collector/correlator/eventRouter/storage>-<service ID>.service - Restart victoria-metrics.
sudo systemctl start kuma-victoria-metrics.service
Internal CA certificates are reissued and applied.
