Replacing Certificates

Scenarios

Default security certificates and private keys required for SSL connection are configured in openGauss. You can change them as needed.

Prerequisites

The formal certificates and keys for the server and client have been obtained from the CA.

Precautions

Currently, openGauss supports only the X509v3 certificate in PEM format.

Procedure

1. Prepare certificates and private keys.

   Conventions for configuration file names on the server:

   • Certificate name: server.crt
   • Key name: server.key
   • Key password and encrypted file: server.key.cipher and server.key.rand

   Conventions for configuration file names on the client:

   • Certificate name: client.crt
   • Key name: client.key
   • Key password and encrypted file: client.key.cipher and client.key.rand
   • Certificate name: cacert.pem
   • CRL file name: sslcrl-file.crl

2. Call the certificate replacement interface to replace a certificate.

   1. Copy the configuration files server.crt, server.key, server.key.cipher, and server.key.rand on the server to the corresponding directories to replace the original files.
   2. Copy the configuration files client.crt, client.key, client.key.cipher, client.key.rand, and cacert.pem (if a CRL needs to be configured, the CRL must contain sslcrl-file.crl) on the client to the corresponding directories to replace the original files.

3. Restart openGauss.

   gs_ctl restart -D /gaussdb/data/datanode