Update CA and server certs and also add couple more cold servers

Hello Team,
I am looking for answers to 2 major questions.

  1. I have used below link to setup my entire stack in production and everything looks fine so far.

The certs produced are valid for 3 years only and I don't have ca.key to create new certs, which means I will have to start from the beginning in creating certs and placing them in all hosts except I got some 50TB data and I don't want data to be lost.

Please help me out of this situation.

  1. While creating new certs I would also like to add new nodes to the cluster. Is it like I can just add new nodes ips and dns name and generate certs and add them the usual way or any other procedure to be followed.

Stack details: 7.10
Architecture: Hot-Warm-Cold

Please help me with any possible solutions.

Important: Back up your data before changing settings. You may also want to test your procedure using empty clusters with the same setup, before you try it on your main setup.

In general, mixing certs from different CAs can be OK, if you ensure all of the CA certs are trusted.

For example, your web browser or OS may have ~100 certs in its truststore, all from public CAs. When you browser different websites, those server certs may be signed by different trusted CAs. As long as all of the CA certs that signed the different server certs are in your truststore, it works. For client certs, extra care may be needed.

Where to add multiple CA certs depends which certs you are talking about? For example:

  • HTTPS server certs
  • Transport client/server certs
  • PKI realm for client certs