Certificate Expiration and Renewal

FMOS will automatically renew the self-signed certificates it creates when they expire, but it will not do so for CA-signed certificates.

Certificates expire one year after installation. Certificate renewal is required before the expiration date.

There are processes in place to help support handling the expiration on both the application and database servers.

Items of note:

  • Both processes (DB and AS) are required in all multi-server ecosystem deployments.
  • This applies to single-server deployments as well, particularly ones with remote data collectors. The process is the same as for a stand-alone database server.
  • All certificates will expire one year after initial installation.
  • There is a specific health check that is run in FMOS to verify the status of certificates. These alerts are displayed on the Server Control Panel dashboard, or in the CLI when running the command fmos health -d.

Renewal for Database Server

Within 30 days of the certificate expiring, you can run one of the following commands to “renew” the certificate.

  1. Log on to the database server CLI.
  2. Run the command: fmos redeploy OR fmos update

  3. In some cases, the machine may need to be rebooted after renewing the certificate.

When FMOS identifies that certificates are within 30 days of expiring and one of these two operations take place, it will then automatically renew the certificates for another year.

Renewal for Application Server

You must renew the certificate on the database server first.

Within 30 days of the certificate expiring and after the database server's certificates have been renewed, you will need to do the following.

  1. Log on to the application server CLI.
  2. Run the command: fmos ecosystem refresh

  3. In some cases, the machine may need to be rebooted after renewing the certificate.

This will request new certificates from the database server and renew for another year.

 

If Certificates Have Already Expired

If the certificate for a machine with the AS role has already expired, then it cannot be renewed, as there is no way for the machine to authenticate to the certificate authority server. In this case, FMOS must be reinstalled on the AS machine and it will need to be added to the ecosystem following the normal setup process.