Cryptographic Security Platform 1.1.0 - PKI Hub 1.2.0 installation and administration [PDF][Releases]

See below to restore the PKI Hub status when installed in several nodes.

Restoring the database

Restore the database according to the vendor's instructions.

The database should be accessible on the same IP address or hostname as in the original installation.

Restoring the HSM

If the deployed solutions use an HSM (Hardware Security Module) to protect private keys, restore the device using the tools provided by the HSM vendor.

Restoring the network

Configure the same network settings as in the original installation. For example:

Node IP addresses and hostnames
DNS and NTP servers

Restoring the PKI Hub software

Follow the steps in Starting up PKI Hub to reproduce the PKI Hub installation used for Backing up. Specifically:

Install the same PKI Hub release
Add the same number of nodes as in the original installation

On a 3-node cluster installation, this process is expected to take ~3h.

Pre-conditions

The client-facing hostname or IP address of the recovered cluster must be the same as the backed-up and always match:

The hostname of the Management Console URL.
The IP address or hostname in the CDP (CRL Distribution Points) and AIA (Authority Information Access) fields of the certificates issued by the Certificate Authority.
The CA Gateway IP address or hostname configured in client applications such as Certificate Manager or Certificate Enrollment Gateway.

Installing the TLS certificate

Install the TLS certificate

If the node hostnames or IP addresses match those in the same installation and you want to use the same certificate, run the clusterctl certificate command using the TLS certificate and key backup.
Otherwise, run the clusterctl certificate command using a newly generated TLS certificate and key pair.
To avoid further configuration, we recommend using the same CA to issue the new certificate.

Restoring cluster settings

Restore the cluster policies and settings.

Run the clusterctl volume capacity to restore the previous volume capacity policies.
Run clusterctl retention config logs to restore the previous log retention period.
Run clusterctl retention config metrics to restore the previous metric retention period.
Run the clusterctl proxy set to restore the previous proxy settings.

Restoring the PKI Hub state

Restore the state of the PKI Hub installation.

Import the license as explained in Setting the license.
In any installation node, run the clusterctl backup restore command using the file generated when Backing up.
This command is expected to take ~5 min to complete.
Log in to the Management Console at:

https://<hostname>:8443/management-console
Click Deploy for all the solutions deployed on the original installation.
The deployment process is expected to take ~30min (~5 min per solution).