Renew TLS Certificate

This section explains how to replace an existing, expiring, or compromised self-signed certificate with a new one — without changing the application’s code or TLS settings.

Generate the Certificate

  • Use a tool such as OpenSSL to create the new certificate.

  • Make sure it includes the correct Subject Alternative Name (SAN) or Common Name (CN) that matches the component’s hostname or IP address.

  • The new certificate should also use a stronger key size and hash algorithm than the old one.

Download the Executable File

  1. Go to the following link to download the executable file (https://uploads.tenable.com/files/cfbd6fcd-d70c-439d-9948-8d2b206f1b84/download).

  2. Download the file.

  3. Save the file to a secure location on your system.

  4. Verify the file integrity by checking its SHA-256 hash: 2d3909d4208702360648d885638fe0dc2cb8298f5321348d5bf1dd8f908044bf

Standard Architecture

  1. Connect to the Storage Manager (SM), Security Engine Node (SEN), and the Directory Listener (DL) servers using an administrator account.

  2. Open a PowerShell terminal as an administrator.

  3. Run the executable file with the following parameters.

    Copy
    PS C:\> .\Renew-Self-signed-certificate.exe -StorageManagerIp "SM host" -SecurityEngineNodeIp "SEN Host" -DirectoryListenerIp "DL Host" 

Distributed Architecture

  1. Connect to the Storage Manager (SM), Security Engine Nodes (SEN1, SEN2, SEN3), and the Directory Listener (DL) servers using an administrator account.

  2. Open a PowerShell terminal as an administrator.

  3. Run the executable file with the following parameters.

    Copy
    PS C:\> .\Renew-Self-signed-certificate.exe -StorageManagerIp "SM host" -SecurityEngineNodeIp "SEN1 Host, SEN2 Host, SEN3 Host, SEN4 Host, SEN5 Host" -DirectoryListenerIp "DL Host"