Renew and replace certificates and keys

In the customer-managed certificates deployment model (unlike in the PEG-managed certificates deployment model), certificates and keys that are about to expire are not renewed and replaced automatically, so you need to perform these tasks manually.

先决条件

When your certificates are about to expire, you must perform the following tasks:

Create a new certificate.
Upload the new certificate.

Create a new certificate and key. Ensure that PEG creates the new certificate signing request.

If you want PEG to generate the new certificates and keys, perform the following steps:

过程

Run cd peg && ./peg_start.sh.
Select Cluster Management.
Select Generate Certificate Requests.
Fill out the options that follow.
Exit the menu.
The csrs are located in ~/peg/csr.
Create certificates. For more information, see Create certificates.

Upload the new certificates

Upload the new PEG certificates.

过程

Copy the PEG certificates that you created to the /peg_v/certs/ directory.
Ensure that they are named according to the certificate file names in 表 1.
If you also created your own keys, then copy the PEG keys that you created to the /peg_v/keys/ directory. Ensure that the keys are not password-protected. Also, ensure that they are named according to the certificate file names in 表 1.
If you did not create your own keys, then the PEG-generated keys are included by PEG.
Run ~/peg/scripts/validatecerts.sh.
To confirm that the certificates are valid, continue only if the script displays the following: All checks passed!
Run the following command on PEG so it loads the latest certificates:
```
kubectl rollout restart deployment.apps/traefik -n kube-system
```

Automation 360