PKI backup and restore

Contents

PKI backup and restore

Overview

The PKI generated by the master Appliance during federation lets Collectors securely communicate with the Engines through a TCP connection.

Failing to take a backup of the PKI items in the master Appliance (root certificate, private key, and customer key) before a full disaster occurrence, results in the need to re-create the PKI and re-distribute a new root certificate and a new customer key to all the deployed Collectors.

Manual backup

Once you have federated at least one slave Appliance, take a backup of the generated PKI:

  1. Open a web browser and log in to the Web Console of the master Appliance as admin.
  2. In the Appliance tab, select the Collector management section on the left-hand side menu.
  3. Under Collector default certificates at the bottom of the page, click the button BACKUP CERTIFICATE AND KEY to get a backup of the generated Root CA certificate and Customer Key. The backup file has the name root-ca-backup.tgz.

Restoring the PKI

To restore the backup of the PKI, we assume that you have a new master Appliance in place with the same network configuration as the original Appliance and a restored license.

Follow this procedure before federating any Engine back.

  1. Copy the backup file root-ca-backup.tgz to the master Appliance using any SCP tool.
  2. Download the following script for deploying the Customer Key and Root CA: deploy_rck.sh.
  3. Copy the script to the master Appliance using any SCP tool.
  4. Log in to the CLI of the master Appliance.
  5. Execute the script as root, passing the backup file as argument.
    sudo sh deploy_rck.sh root-ca-backup.tgz
  6. Open a web browser and log in to the Web Console of the master Appliance as admin.
  7. If the new Appliance has a different DNS name from the original:
    1. In the Appliance tab, select the Network Parameters section on the left-hand side menu.
    2. Type in the External DNS name and the Internal DNS name of the new master Appliance.
  8. Select the Collector management section on the left-hand side menu.
  9. If you are running the Portal and the Engine in the same Appliance, click the button GENERATE CERTIFICATE that is displayed in red.
  10. If your Engines reside in separate slave Appliances, federate them now:
    1. Select the Federated appliances section on the left-hand side menu.
    2. Click ADD APPLIANCE to add a new slave and provide the necessary information.


Related tasks
Retrieved from "https://doc.nexthink.com/Documentation/Nexthink/latest/InstallationAndConfiguration/PKIbackupandrestore"