Skip to content

SSL CA Certificate Upgrade for Privacera Diagnostics

This document provides steps to handle Diagnostics SSL artifacts during a CA certificate upgrade to prevent certificate mismatches.

STEP 1: Backup Diagnostics SSL artifacts (before CA certificate upgrade)

Backup the following Diagnostics SSL artifacts (server and client):

  • Server

    • diagnostics-server-keystore.p12
    • diagnostics-server-keystore-public-key.pem
    • diagnostics-server-keystore-private-key.pem
    • diagnostics-server-trust.cer

  • Client (only if client SSL is enabled in Privacera Manager via DIAG_CLIENT_SSL_ENABLED or when FIPS mode is enabled)

    • diagnostics-client-keystore.p12
    • diagnostics-client-keystore-public-key.pem
    • diagnostics-client-keystore-private-key.pem
    • diagnostics-client-trust.cer

STEP 2: Perform the CA certificate upgrade

Perform the CA certificate upgrade and ensure the new CA-signed inputs are placed/updated in the same config/ssl/ folder (their names are whatever you configured via the vars, but they must be the updated full chain + private key PEMs).

Update or verify the following variables in your vars.ssl.yml file to point to the updated full-chain and private key PEMs (uncomment and set as needed):

Text Only
1
2
3
### PRIVACERA-DIAGNOSTICS ###
#DIAG_SERVER_SSL_SIGNED_PEM_FULL_CHAIN: "diagnostics_fullchain.pem"
#DIAG_SERVER_SSL_SIGNED_PEM_PRIVATE_KEY: "diagnostics_private_key.pem"

STEP 3: Force refresh derived artifacts (after CA certificate upgrade)

To prevent certificate mismatch, delete the derived Diagnostics artifacts (the ones in Step 1), then re-run the Diagnostics SSL generation step (or rerun the Diagnostics role) so it recreates:

  • diagnostics-*-keystore.p12
  • diagnostics-*-trust.cer
  • diagnostics-*-keystore-public-key.pem
  • diagnostics-*-keystore-private-key.pem

STEP 4: Apply changes using Privacera Manager

Run the following commands to apply the updated SSL certificates and regenerated artifacts:

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Note

  • Mismatch occurs when new CA certs are updated but Diagnostics keystores/derived PEMs are not regenerated (deployment may skip regeneration if files already exist).
  • The backup is for rollback, not to import old certs into the new keystore. The new keystore should be rebuilt from the new CA-signed material.