Deploying a user-provided node CA certificate

Perform this procedure while logged in to the deployer VM.
The customer-provided CA must be root CA or subCA.
The CA must be valid for at least 10 years.

Use the following command to deploy the signing certificate CA is used to generate certificates for managed nodes.

fss-certificate.sh deploy-node-ca-certs --certificate <path> --key <path>

where

--certificate <path>: the path to the certificate file, in PEM format

--key <path>: the path to the private key file, in PEM format

--no prechecks: specifies bypass pre-checks in this operation. This option is useful for scenarios, such as in geo-redundant setups, when certificates are synchronized from the active to the standby system, and the CA validity is likely to be less than 10 years.

Note: Use caution when using this option.

Note:

Only nodes that are bootstrapped after the change of CA receive a gNMI server certificate signed by the new CA. Existing managed node gNMI server certificates are renewed or replaced with new server certificates signed by the newly provided CA.

Deploy the customer-provided CA.

# /root/bin/fss-certificate.sh deploy-node-ca-certs --certificate /root/userdata/nodesigningca-valid10yrs.crt --key /root/userdata/nodesigningca-valid10yrs.key
Certificate is valid for 3651 days more till 2033-07-11 08:07:05
FSS updated successfully