Resetting the TLS configuration of a Pexip Infinity deployment

You can reset the TLS configuration of your Pexip deployment by following the process below.

This is a destructive command and it should only be run when directed to do so by Pexip support.

It applies to deployments from v32 and later.

• Reset only invalid certificates
• Reset all certificates

Reset only invalid certificates

Certificates with MD5/SHA1 algorithms are classed as invalid; this does not include root certificates.

1. You can check all your existing certificates by the following methods:

   • Go to Certificates > TLS certificates and Certificates > Intermediate CA certificates, and then view the Certificate contents for each certificate and check the Signature Algorithm for references to md5 or sha1.
   • Go to https://<manageraddress>/api/admin/configuration/v1/tls_certificate/ and https://<manageraddress>/api/admin/configuration/v1/ca_certificate/ and search for references to md5 or sha1.
2. SSH into the Management Node.

3. Run the command:

   reset-tls-config

4. You are prompted to continue.

   ***WARNING***

   This operation will remove **invalid** TLS certificates, then generate a new self-signed one for each affected VM!

   Are you sure you want to continue [y/N]:

5. Select y to continue and all certificates will be replaced with self-signed certificates.

   If none are found you are shown the following output:

   No VMs require new self-signed certs

   No TLS certificates need deleting

   No CA certificates need deleting

   All operations completed, please wait for the changes to propagate

Reset all certificates

To reset all certificates:

1. SSH into the Management Node.

2. Run the command:

   reset-tls-config -a

3. Select y to continue and all certificates will be replaced with self-signed certificates.

   ***WARNING***

   This operation will remove **ALL** TLS certificates, then generate a new self-signed one for each affected VM!

   Are you sure you want to continue [y/N]: