Updating Certificates in Cisco Provider Connectivity Assurance

New
  • Published on Oct 10, 2025
  • 3 minute(s) read
  • Jonathan Poole
 Prev Next

This article explains how to update new certificates in Provider Connectivity Assurance after you have obtained them from your certificate authority.

Prerequisites

Once acquiring the certificates for Provider Connectivity Assurance, you should have the following files:

  • Server Certificate (.cer or .pem): Used by Provider Connectivity Assurance to identify itself.
  • Server Key (.key): The private key that pairs with the server certificate.
  • CA Certificate: Used to validate the server certificate and confirm the identity of Provider Connectivity Assurance.

You will also need the following:

  • Vault root token: This is typically saved in a text file (such as vault.txt) located in the installation folder.
# Sample of Vault credentials

{"keys": ["<key>"], "keys_base64": ["<key_base64>"], "root_token": "<root_token>"}
  • The name of the deployment (found in the inventory configuration file)
  • The name of the tenant (found in the inventory configuration file)
# Section of inventory file
  
  vars:
    ansible_user: admin
    deployment_name: <deployment_name>
    tenant_name: <tenant>
    basedomain: accedian.io

Procedure

To update the certificates:

  1. Update the inventory file.
  • Open the inventory configuration file and update the following lines in the files: section:
files:
  tls_key_path: <path_to_key>
  tls_cert_path: <path_to_cert>

Replace <path_to_key> and <path_to_cert> with the paths to your server key and certificate files.

  1. Enter the new server certificate and key into the local Vault Instance.

  • Replace the contents of the ~/.vault-token file with the root token to log into the Vault Instance.

  • Use the following commands to insert the certificate and key into Vault:

cd
cd skylight-installer
  • Insert the certificate:
bin/vaultCmd.sh kv put secret/deployer/certs/onprem/{deployment_name}-{tenant} cert=@<path_to_cert>

Replace <path_to_cert> with the path to your certificate file.

The output should resemble the following:

===================== Secret Path =====================
secret/data/deployer/certs/onprem/performance-analytics

====== Metadata ======
Key              Value
---              -----
created_time     2025-10-10T19:18:12.593336906Z
deletion_time    n/a
destroyed        false
version          1
  • Insert the key:
bin/vaultCmd.sh kv patch secret/deployer/certs/onprem/{deployment_name}-{tenant} key=@<path_to_key>

Replace <path_to_key> with the path to your key file.

The output should resemble the following:

===================== Secret Path =====================
secret/data/deployer/certs/onprem/performance-analytics

====== Metadata ======
Key              Value
---              -----
created_time     2025-10-10T19:19:52.218915496Z
deletion_time    n/a
destroyed        false
version          2
  • Use the following command to confirm that your certificate and key have been successfully stored in Vault:
bin/vaultCmd.sh kv get secret/deployer/certs/onprem/{deployment_name}{tenant}

The output should display the contents of your certificate and key:

===================== Secret Path =====================
secret/data/deployer/certs/onprem/performance-analytics

====== Metadata ======
Key              Value
---              -----
created_time     2025-10-10T19:19:52.218915496Z
deletion_time    n/a
destroyed        false
version          2

==== Data ====
Key     Value
---     -----
cert    -----BEGIN CERTIFICATE-----
MIIGqDCCBZCgAwIBAgIQQAGXGErDnHAGy2AAUavJUzANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy
YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy
YW50SUQgU2VydmVyIENBIE8xMB4XDTI1MDUyODE5MDcyMloXDTI2MDYwMjE5MDYy
MloweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xJDAiBgNVBAMT
G2FjY2VkaWFuLXNreWxpZ2h0LmNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAN+neIsj/wIiwW0uZPbiVteigfJkzw/m2EZp75nrjSUudrZA
Bs6W9pMaAoIB3hAlYuuJkykM/3tqur8YAGnw2LSeLu9BwEvazAR63X+elsuk9v9A
VMNdm/iAz6kJZHFXPL/QS/PUw52veNitvtWnAMqPYClVXK0uevhpeiE9x/ifZno3
daJTZ/ofW27vRuqWHNELOWArHX5tSeKUfhgORx0GlZsOy6JVILPxhn2r/z5OjLGX
RtE+w4i322OUOD4aW9sntosCp/fBVe6MtYDOO5F5Uzp71VvTYKQd2K1YW4dkpJpJ
Rr+MRbZMEl4/DdBLbMND84cufH+QjbLfzvRPrxcCAwEAAaOCAzIwggMuMA4GA1Ud
DwEB/wQEAwIFoDCBhQYIKwYBBQUHAQEEeTB3MDAGCCsGAQUFBzABhiRodHRwOi8v
Y29tbWVyY2lhbC5vY3NwLmlkZW50cnVzdC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6
Ly92YWxpZGF0aW9uLmlkZW50cnVzdC5jb20vY2VydHMvaHlkcmFudGlkY2FPMS5w
N2MwHwYDVR0jBBgwFoAUibibtp7t+7DGvQ3sZ048o5KdLfkwIQYDVR0gBBowGDAI
BgZngQwBAgIwDAYKYIZIAYb5LwAGAzBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8v
dmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC9oeWRyYW50aWRjYW8xLmNybDBH
BgNVHREEQDA+ghthY2NlZGlhbi1za3lsaWdodC5jaXNjby5jb22CH2NuYy5hY2Nl
ZGlhbi1za3lsaWdodC5jaXNjby5jb20wHQYDVR0OBBYEFA2pHXocIQ+0R+TIyBV6
+E/5LwIzMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAX8GCisGAQQB
1nkCBAIEggFvBIIBawFpAHcADleUvPOuqT4zGyyZB7P3kN+bwj1xMiXdIaklrGHF
TiEAAAGXGErEcAAABAMASDBGAiEAgXKE0l5qe9Oc/mTmE1NciFq28+g9RUJ7cbVb
kUdfM4cCIQCVVhrSjG1b2z2Cl+kMSOgN4NzM6aLDPLxUkFcXshKoGwB1AJaXZL9V
WJet90OHaDcIQnfp8DrV9qTzNm5GpD8PyqnGAAABlxhKxo4AAAQDAEYwRAIgHRrt
Oq1T7XrnCUsVFRwGdG6U7pCXYBYhhzpg5Nu489QCIFFUZyESvTK8zxgYNg3oBCWq
kOhk5Y1rCQ74b1YIeCcxAHcAyzj3FYl8hKFEX1vB3fvJbvKaWc1HCmkFhbDLFMMU
WOcAAAGXGErD9wAABAMASDBGAiEA3rGPh1VMBFLH9Exp/WRGdtNwH3YW12k2ljfr
xoFp6AYCIQCggX1+0L1RbPBD1OVKmLZ7N4LTooi663UUNoO+zidR2TANBgkqhkiG
9w0BAQsFAAOCAQEAHTCB4ERXe8y3naNuR1qHGz7vB5FMRCTryklz49QHveCHmcF/
HCaBnVeQcbW/E22Y0K8MeGMjoh5OTX2OIh2KyNKKvRujMS+0xaE5s8GKwL1xYK+t
t6e+9DrvI72JI3+b19zdzNEcYdwbdl50roM+yylS/YQqnI9izTt6PlYBd05VJ0g1
QfmkdIzaOhcbsoqf7WWWDV8CN+Xufx/RQW87LUjhcMSaLNJXo5P+4tJlu4Xog+po
AjXsjaAjVOw7mg9p96SRiePIOXsc+KrKIOKcbBRXWBzkSNi5HNQ+MIZwBVM22q2i
67FA8NlkqeX8RM26xHDEue/GgxDW1u9ajFdNdA==
-----END CERTIFICATE-----
key     -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA36d4iyP/AiLBbS5k9uJW16KB8mTPD+bYRmnvmeuNJS52tkAG
zpb2kxoCggHeECVi64mTKQz/e2q6vxgAafDYtJ4u70HAS9rMBHrdf56Wy6T2/0BU
w12b+IDPqQlkcVc8v9BL89TDna942K2+1acAyo9gKVVcrS56+Gl6IT3H+J9mejd1
olNn+h9bbu9G6pYc0Qs5YCsdfm1J4pR+GA5HHQaVmw7LolUgs/GGfav/Pk6MsZdG
0T7DiLfbY5Q4Phpb2ye2iwKn98FV7oy1gM47kXlTOnvVW9NgpB3YrVhbh2SkmklG
v4xFtkwSXj8N0Etsw0Pzhy58f5CNst/O9E+vFwIDAQABAoIBAQCuU/BOrDkZ5hNU
0gPauCOuormdQVxwbaQIhow/Mm5rG+NmPVPQ9bSuhmiMA36eoTWQmER/i+Ubwt5b
Ew9HhHa1mlLFJUAJIDtEBqzdy7SIeUYZQYCQY0eulGDIxkxnV/M/I9H/9cigAWU1
p4AHMswYF1eCAEpjpsYtGLIcdPaI3+lG93o6kYkBEruKDFZg8TssDpGdFEd511KV
mKpxAKy/tOe+VTndKEAvycu46kW4TXUAF9/l9+DrHQcw9ayusVwnsal8Kq+bQ8fr
Okcks6VqW+0Js0gFw0qBco0O8suULkryFj/AF1eePAxc/H4kX1Pu+1n0i5XDQrAN
7HJmQvVBAoGBAPKX7ylsrtaZOQ1PtWoZOSaksOC7EOnqlGYAmxz4XIE2QMicD2pV
nbTfDmuhOG0sP32B57lBEkBwVCHcHJPqBOymDtjJKbSzHyPjxtVDkXp+PYeZvBT+
OIDXKSJDTvva63nt+GJ4pivrNxnAC8+LgCD3Mbe3fi2Zmufn5gCFkEW3AoGBAOwD
mEJqvD/HbNwNantGBYvZTe8+7zXgjvvxbucbTH4rro4ubRW0e6huDBYFgqMIC4jl
ir0oYLeKR7L7+WkFZhHGDJ4K35yTQuWTykJUFejr0RmAtEbOwclrt+qFUdd4/H28
a/wDtbd18GO7ibXOvKvPXMEWG18OVF4UuMlDIuGhAoGAKS47bgfCAjHOaoEOZa1U
c0ffsrZun5avjEUsD5XldhW0l5lOUJmqBMscko6ymm25dV+460ytgXzP+1N3EnDW
Vym1OX2kc8U4UwpWdVtb9bQ6U6t4LwQcqVpc5DES1lQKRw9ra6PZaXkrSFa+aoPe
wznTGcGvTKRXlGhcNdh2bi8CgYBvjUNqIQjZHGlXmP+7RF1avFsZuaVW0czDSFoi
4cRF3l+i1E6685N/CISt4+zbIfJRwizRO0R7e+BnuLEp8mNMA0/zYzBN0UzNNg1j
TFsOvGcYpryOuyrdCQzkzB7iuUyeIXDorNg23ofAm+N7Czwh+ODeYpSNWTiHP0QX
3KOgAQKBgQDG7DQl9xU9fRwry9ZCSCK305qJUA3rfTP6yI6coFb54ezLkdwBMo3r
UeGXPKsbMBHg7X8G6DtrAo+o3VBxlHbivmZBG/Qlujg5XjW6H7LxjVQJxOybgxOA
vpJeVbIEcbr0sVL4dJsIpyumUCAix/8l8QtK/IfbWgwdhLx6mbPExA==
-----END RSA PRIVATE KEY-----
  • Reset the vault authorization token from the root token to the admin token:
bin/vaultSetUserToken.sh

The output should resemble the following:

admin@dle-pca:~/skylight-installer$ bin/vaultSetUserToken.sh
Getting a token with the proper policies

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   546  100   488  100    58   238k  29000 --:--:-- --:--:-- --:--:--  266k


Your user vault token s.9siYijlQf3G8rQ9GxbZRlH6w is now active. It was saved in your ~/.vault-token
It has the following policies
{
  "request_id": "d5f642ae-ec48-1bf9-9bb4-f391af50043f",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": null,
  "auth": {
    "client_token": "s.9siYijlQf3G8rQ9GxbZRlH6w",
    "accessor": "NFXmRIDZy935R5PQyhpfSNBL",
    "policies": [
      "admin-ssh-users",
      "default",
      "deployer-secrets-read"
    ],
    "token_policies": [
      "admin-ssh-users",
      "default",
      "deployer-secrets-read"
    ],
    "metadata": null,
    "lease_duration": 2764800,
    "renewable": true,
    "entity_id": "",
    "token_type": "service",
    "orphan": false
  }
}
  1. Redeploy Provider Connectivity Assurance:

Note: This process will not erase your existing data.

bin/onprem-deploy.sh 15.111.85 variables.env inventory
  • After the deployment, verify that all Docker services are running:
docker service ls

Once the services are up, you can confirm that the new certificate is installed by opening the web UI in your browser.

Updating Certificates in Cisco Provider Connectivity Assurance_1.png

© 2025 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and trademarks