Alternate to bouncing IS to bring CA self signed cert in effect

, ,
1

Is there an alternate solution to bouncing the server to bring a CA Trusted folder/self signed certificate in effect. Bouncing the IS is causing us a lot of grief from our customers who have production floor services that need to run 24/7.

If anyone knows what gets run under the covers to load the certs, it would be appreciated or if you know of an alternate method for this to work.

Thanks!

2

For inbound connections, you can set a trusted CA list on each port then stop/start the port to pick up the change.

For outbound (as a client), I am not aware of anything you can do. I believe this is being looked at as a feature.

3

I think (in 4.6 at least), trusted CAs are just files on disk and don’t go into the repo. Hence if you have hardware clustering with a CSS in front of IS servers, the standard cluster procedure should apply:

  1. Remove some IS servers from your cluster
  2. Add the new root CA cert to these servers
  3. Bounce the servers.
  4. Switch the cluster switch to the “bounced servers”, simultaneously
    removing the remaining servers from the cluster.
  5. Repeat steps 2 and 3 on the remaining servers.
  6. Bring the remaining servers back into the cluster.