Renew TLS Certificate
This section explains how to replace an existing, expiring, or compromised self-signed certificate with a new one — without changing the application’s code or TLS settings.
Generate the Certificate
-
Use a tool such as OpenSSL to create the new certificate.
-
Make sure it includes the correct Subject Alternative Name (SAN) or Common Name (CN) that matches the component’s hostname or IP address.
-
The new certificate should also use a stronger key size and hash algorithm than the old one.
Download the Executable File
-
Go to the following link to download the executable file (https://uploads.tenable.com/files/cfbd6fcd-d70c-439d-9948-8d2b206f1b84/download).
-
Download the file.
-
Save the file to a secure location on your system.
-
Verify the file integrity by checking its SHA-256 hash: 2d3909d4208702360648d885638fe0dc2cb8298f5321348d5bf1dd8f908044bf
Standard Architecture
-
Connect to the Storage Manager (SM), Security Engine Node (SEN), and the Directory Listener (DL) servers using an administrator account.
-
Open a PowerShell terminal as an administrator.
-
Run the executable file with the following parameters.
CopyPS C:\> .\Renew-Self-signed-certificate.exe -StorageManagerIp "SM host" -SecurityEngineNodeIp "SEN Host" -DirectoryListenerIp "DL Host"
Distributed Architecture
-
Connect to the Storage Manager (SM), Security Engine Nodes (SEN1, SEN2, SEN3), and the Directory Listener (DL) servers using an administrator account.
-
Open a PowerShell terminal as an administrator.
-
Run the executable file with the following parameters.
CopyPS C:\> .\Renew-Self-signed-certificate.exe -StorageManagerIp "SM host" -SecurityEngineNodeIp "SEN1 Host, SEN2 Host, SEN3 Host, SEN4 Host, SEN5 Host" -DirectoryListenerIp "DL Host"