Replacing Certificates of the Store

The system encrypts the communication between the Store nodes with self-signed certificates generated during the installation. Use the following procedure to replace these certificates.

1. Make sure you have the following files in .pem format - use exactly the file names listed below:
   1. CA certificate - custom-es-ca-cert.pem - if there are several CA certificates (root CA and intermediate CAs) - the pem file should contain all certificates concatenated (one after the other).
   2. New Store certificate - dpod-es-server-cert.pem
   3. New Store certificate key - dpod-es-server-key.pem
2. Stop all the application services using app-util.sh (in a Cell Environment, stop the cell manager as well as all the cell members).

3. Configure DPOD (in a Cell Environment, configure the cell manager as well as all the cell members):
   1. Log in to DPOD's server using SSH.
   2. Create a new custom keys directory:

      mkdir -p /app/keys/store/custom

   3. Copy the pem files to this directory. i.e.:

      ls /app/keys/store/custom
      custom-es-ca-cert.pem dpod-es-server-cert.pem dpod-es-server-key.pem

   4. Create the CA certificate bundle:

      cat /app/keys/store/dpod-es-ca-cert.pem /app/keys/store/custom/custom-es-ca-cert.pem > /app/keys/store/custom/dpod-es-ca-cert.pem

   5. Deploy the files to the Store server nodes:

      ls -d1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/certs | xargs -I ddd cp -f /app/keys/store/custom/dpod-es-*.pem ddd

   6. Configure the Store server nodes with the new DN:

      ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sed -i "s#plugins.security.nodes_dn:.*#plugins.security.nodes_dn: ['$(openssl x509 -subject -nameopt RFC2253 -noout -in /app/keys/store/custom/dpod-es-server-cert.pem | sed 's/subject=[[:space:]]*//')']#" fff

4. Start all the application services using app-util.sh (in a Cell Environment, start the cell manager and all the cell members).