Deploying a user-provided node CA certificate

  • Perform this procedure while logged in to the deployer VM.
  • The customer-provided CA must be root CA or subCA.
  • The CA must be valid for at least 10 years.
Use the following command to deploy the signing certificate CA is used to generate certificates for managed nodes.
fss-certificate.sh deploy-node-ca-certs --certificate <path> --key <path>
where

--certificate <path> is the path to the certificate file, in PEM format

--key <path> is the path to the private key file, in PEM format

Note:

Only nodes that are bootstrapped after the change of CA receive a gNMI server certificate signed by the new CA. Existing managed node gNMI server certificates are renewed or replaced with new server certificates signed by the newly provided CA.

Deploy the customer-provided CA.
# /root/bin/fss-certificate.sh deploy-node-ca-certs --certificate /root/userdata/nodesigningca-valid10yrs.crt --key /root/userdata/nodesigningca-valid10yrs.key
Certificate is valid for 3651 days more till 2033-07-11 08:07:05
FSS updated successfully