Renew TLS certificates for Cyberwatch services with Podman

Check a certificate expiration date

openssl x509 -noout -enddate -in /etc/cyberwatch/certs/cbw-nginx-cert.pem

Renew service certificates

A warning is displayed on the command line during a cyberwatch restart when certificates are nearing expiration. Since the cyberwatch user is not a sudoer, renewal must be performed by a user with sudo privileges.

By default, only certificates expiring within 45 days are renewed. The --force option renews all certificates unconditionally.

# Renew all services
sudo cyberwatch renew-certificates

# Target specific services
sudo cyberwatch renew-certificates nginx db

# Force renewal regardless of expiration date
sudo cyberwatch renew-certificates --force

Renew the CA

sudo cyberwatch renew-certificates --with-ca

# Can be combined with --force
sudo cyberwatch renew-certificates --force --with-ca

On a satellite, the master CA certificate (cbw-root-ca-cert-master.pem) must be present in /etc/cyberwatch/certs/ before renewing the satellite CA. See the master/satellite TLS certificate renewal procedure.

Back to top

English Français Español