Reissuing internal CA certificates

The storage location of the self-signed CA certificate and the certificate reissue mechanism have been changed.
The certificate is stored in the database. The previous method of reissuing internal certificates by deleting certificates from the file system of the Core and restarting the Core is no longer allowed. The old method will cause the Core to fail to start. Do not connect new services to the Core until the certificate is successfully reissued.
After reissuing the internal CA certificates in the Settings → General → Reissue internal CA certificates section of the KUMA web interface, you must stop the services, delete the old certificates from the directories of the service, and manually restart all services. Only users with the General Administrator role can reissue internal CA certificates.

The Reissue internal CA certificates option is available only to a user with the General Administrator role.

The process of reissuing certificates for an individual service remains the same: in the KUMA web interface, in the Resources → Active services section, select the service; in the context menu, select Reset certificate, and delete the old certificate from the service installation directory. KUMA automatically generates a new certificate. You do not need to restart running services, the new certificate is applied automatically. A stopped service must be restarted to have the certificate applied.

To reissue internal CA certificates:

  1. In the KUMA web interface, go to the Settings → General section, click Reissue internal CA certificates, and read the displayed warning. If you decide to proceed with reissuing certificates, click Yes.

    As a result, the CA certificates for KUMA services and the CA certificate for ClickHouse are reissued. Next, you must stop the services, delete old certificates from the service installation directories, restart the Core, and restart the stopped services to apply the reissued certificates.

  2. Connect to the hosts where the collector, correlator, and event router services are deployed.
    1. Stop all services with the following command:

      sudo systemctl stop kuma-<collector/correlator/eventRouter>-<service ID>.service

    2. Delete the internal.cert and internal.key certificate files from the "/opt/kaspersky/kuma/<service type>/<service ID>/certificates" directories with the following command:

      sudo rm -f /opt/kaspersky/kuma/<service type>/<service ID>/certificates/internal.cert

      sudo rm -f /opt/kaspersky/kuma/<service type>/<service ID>/certificates/internal.key

  3. Connect to the hosts where storage services are deployed.
    1. Stop all storage services.

      sudo systemctl stop kuma-<storage>-<service ID>.service

    2. Delete the internal.cert and internal.key certificate files from the "/opt/kaspersky/kuma/storage/<ID service>/certificates" directories.

      sudo rm -f /opt/kaspersky/kuma/storage/<service ID>/certificates/internal.cert

      sudo rm -f /opt/kaspersky/kuma/storage/<service ID>/certificates/internal.key

  4. Delete all ClickHouse certificates from the "/opt/kaspersky/kuma/clickhouse/certificates" directory.

    sudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.cert

    sudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.key

  5. Connect to the hosts where agent services are deployed.
    1. Stop the services of Windows agents and Linux agents.
    2. Delete the internal.cert and internal.key certificate files from the working directories of the agents.
  6. Start the Core to apply the new CA certificates.
    • For an "all-in-one" or distributed installation of KUMA, run the following command:

      sudo systemctl restart kuma-core-00000000-0000-0000-0000-000000000000.service

    • For KUMA in a high availability configuration, to restart the Core, run the following command on the primary controller:

      sudo k0s kubectl rollout restart deployment/core-deployment -n kuma

      You do not need to restart victoria-metrics.

      The Core must be restarted using the command because restarting the Core in the KUMA interface affects only the Core container and not the entire pod.

  7. Restart all services that were stopped as part of the procedure.

    sudo systemctl start kuma-<collector/correlator/eventRouter/storage>-<service ID>.service

  8. Restart victoria-metrics.

    sudo systemctl start kuma-victoria-metrics.service

Internal CA certificates are reissued and applied.

See also:

Downloading CA certificates
Page top