This section explains the operations necessary for updating certificates when using an SSL accelerator of the server load balancer function.
When update is necessary, the tenant user requests the infrastructure administrator to update of the certificates used for the currently used L-Platform.
Figure C.2 Flow of Update of Server Certificates and CA Certificates
Set maintenance mode on the NS Appliance to update the certificates of.
For details on how to configure maintenance mode, refer to "22.1 Switchover of Maintenance Mode" in the "User's Guide for Infrastructure Administrators (Resource Management) CE".
Connect to the NS Appliance, and check the CA certificate corresponding to the server certificate of the update target.
This operation is performed when updating the CA certificate.
Execute the following command:
admin password: Administrator Password show cert certificate show cert certificate Server Certificate Number chain
Enter the administrator password specified in the "2.2.3.3 Network Configuration Information Files" which was created during installation of NS Appliance.
When performing auto-configuration using user customization mode
Specify the number of the certificate which is used on the active L-Platform, as notified by the tenant user or tenant administrator.
When performing auto-configuration using simple configuration mode
Check and specify the number of the certificate corresponding to the "owner information (CN name)" which was provided by the tenant user or tenant administrator, referring to the results of "show cert certificate".
Confirm that the CA certificate corresponds to the server certificate, using the following item:
Item | Description |
|---|---|
Chain | The certificate chain of the certificate. |
Delete the server certificate of the update target.
Execute the following command:
cert zeroize cert all Server Certificate Number
Specify the number of the certificate which is used on the active L-Platform, as notified by the tenant user or tenant administrator.
After executing the command, respond with "y" to the output reply message.
Register the server certificate of the update target.
Refer to "Registering Server Certificates" in "C.3.1 Registering Server Certificates and CA Certificates".
Specify the same certificate number for registration as the server certificate number deleted in step 3.
Delete the CA certificate of the update target.
Execute the following command and determine whether updating of the CA certificate corresponding to the server certificate (i.e. the CA certificate with the number confirmed in step 2 is necessary, based on the expiration date.
Execute the following command:
show cert certificate Server Certificate Number
show cert ca-certificateSpecify the number of the CA certificate registered in step 4.
Information
In general, updating of CA certificates is not necessary in the following cases:
When the issuer information is the same
When the expiration period of the CA certificate is longer than that of the server certificate to be updated
When updating of the CA certificate is necessary, delete the target CA certificate.
For the number of the CA certificate to be deleted, specify the number of the CA certificate for which it was determined that updating is necessary.
When the registration number is between 1 and 18, do not delete the CA certificate.
Execute the following command:
cert zeroize ca CA Certificate NumberSpecify the number of the CA certificate confirmed in step 2.
After executing the command, respond with "y" to the output reply message.
Register the CA certificate of the update target.
Refer to "Registering CA Certificates" in "C.3.1 Registering Server Certificates and CA Certificates". This operation is performed when updating the CA certificate.
The certificate numbers specified when registering are as follow:
Specify the same number as the CA certificate deleted in step 5., when deleting the CA certificate (the number of the target CA certificate is something other than 1 to 18).
When not deleting the CA certificate (the number of the target CA certificate is 1 to 18), register a new CA certificate.
Reflect the update of the certificate on the operating NS Appliance.
Execute the following command:
configure terminal load running-config commit exit exit
After executing the command, respond with "y" to the output reply message.
Execute the rcxnetworkservice certctl command.
rcxnetworkservice crtctl -name name -syncSpecify the NS appliance device name.
Execute this command when using the simple configuration mode.
For details on this command, refer to "A.1 rcxnetworkservice".
Release the maintenance mode configured when starting operations.
For details on how to release maintenance mode, refer to "22.1 Switchover of Maintenance Mode" in the "User's Guide for Infrastructure Administrators (Resource Management) CE".