This article will explain how to update your IriusRisk certificates for your on-premises deployment, and show some commands that can be useful.
Once your new certificate has been created
Once you have the new certificate (and the new key, if you have renewed it as well) you need to upload them to the docker host, in the docker-compose.yml path, named as cert.pem and key.pem.
You can verify that the key and the cert are valid by checking that their modulus is matching, and that the date of the new cert is correct.
To check the modulus you can:
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
And to review the date:
openssl x509 -in cert.pem -text | grep "Not After"
Then, restart nginx to apply the change:
docker restart iriusrisk-nginx
You can review that the certificate has been renewed in the app by checking it on the url by hostname or on the localhost, for example
echo | openssl s_client -servername instance_name.iriusrisk.com -connect instance_name.iriusrisk.com:443 2>/dev/null | openssl x509 -noout -dates| grep notAfter | sed -e 's#notAfter=##'
echo | openssl s_client -servername localhost -connect localhost:443 2>/dev/null | openssl x509 -noout -dates| grep notAfter | sed -e 's#notAfter=##'
To take into account
In case you need to remove a password from a key:
openssl rsa -in [original.key] -out [new.key]
The name of the certificate and key are on the ngnix volume section of the docker-compose.yml file:
$ cat docker-compose.yml | grep "cert.pem\|key.pem"
So if you decide to rename the cert and the key, i.e. cert2.pem and key2.pem, the new names need to be modified as well in the file, and the docker stack restarted in order to apply the change:
docker-compose down && docker-compose up -d