Replacing self-signed certificates

You can replace the self-signed certificate with a CA-signed certificate by using the dockerManageZoa.sh config-certificates use-provided or podmanManageZoa.sh config-certificates use-provided command.

Before you begin

For this process, you must provide the following artifacts:

A CA-signed certificate in PEM format.
The root certificate and any intermediate certificate (if provided) that are required to validate the authenticity of the CA-signed certificate. These certificates must also be in PEM format.
Note: Certificate chains are not supported.

If your CA signing process permits, the best practice is to generate the certificate signing request by using the utility commands that are provided in the dockerManageZoa.sh / podmanManageZoa.sh config-certificates command.

Procedure

On the system where Z Resource Discovery is installed, prepare a directory for storing the CA artifacts (such as /usr/share/CAresources).
- This directory must not be a subdirectory of the ZOA_HOME directory.
- The user ID under which the Z Resource Discovery containers are run must have read and write access to this directory and all contents.
If your CA signing process permits, generate the certificate signing request by using the utility commands that are provided in Z Resource Discovery.
1. Open the ZOA_HOME/zoa_env.config file, and update the values of the following configuration properties as appropriate:
  - CRYPT_ALGO
  - COUNTRY
  - STATE
  - LOCATION
  - ORG_NAME
  - ORG_UNIT
2. Save and close the file.
3. Run the following commands to produce a new set of self-signed TLS artifacts, including a certificate signing request with the configuration properties that you specified in step 2a.
  Docker
  cd ZOA_HOME ./bin/dockerManageZoa.sh config-certificates force-generate ./bin/dockerManageZoa.sh config-certificates export
  Podman
  cd ZOA_HOME ./bin/podmanManageZoa.sh config-certificates force-generate ./bin/podmanManageZoa.sh config-certificates export
4. Change to the ZOA_HOME/ssl_export directory, and run the following commands to copy the necessary artifacts into the /usr/share/CAresources directory.
```
# Copy signing request
cp zoasvc.csr /usr/share/CAresources
# Copy private key
cp zoasvc.key /usr/share/CAresources 
# Store private key password in clear text
grep ^ZAIOPS_ZOASVC_PASS ../zoa_env.config | \
  cut -f 2- -d "=" | \
  base64 -d > /CAresources/zoasvc.pwd   
```
Submit the certificate signing request to the certificate authority for your organization.
When you receive the CA-signed certificate, store it, together with the CA root certificate and any intermediate certificates, in the /usr/share/CAresources directory. If you skipped step 2 of this procedure, you must also store the following additional artifacts in the /usr/share/CAresources directory.
- The private key file that was used to generate the certificate signing request.
- The password for the private key.
Run the following commands to replace the self-signed certificate with the CA-signed certificate:
```
cd ZOA_HOME
./bin/dockerManageZoa.sh config-certificates use-provided
```
Important: The config-certificates use-provided command supports only one intermediate certificate. If your CA setup requires more than one intermediate certificate, import the additional intermediate certificates by using the config-certificates import-cert command.

Shut down and restart all software containers.

Docker


./bin/dockerManageZoa.sh down
./bin/dockerManageZoa.sh up

Podman


./bin/podmanManageZoa.sh down
./bin/podmanManageZoa.sh up