由于证书替换过程中，存在规则停止的情况，请注意，如果不能停止规则，请不要操作后续步骤
以下步骤所有控制机操作
1、停止i2up
#systemctl stop i2up
2、重命名certs
#mv /usr/info2soft/cntlcenter/etc/certs /usr/info2soft/cntlcenter/etc/certs.bak
3、创建certs目录，切换到目录下
#mkdir -p /usr/info2soft/cntlcenter/etc/certs
#cd /usr/info2soft/cntlcenter/etc/certs

以下操作在控制机1上操作，其他控制机不要操作
4、生成ca证书
#openssl req -newkey rsa:3072-nodes -keyout ca.key -out ca.csr

举例：
# openssl req -newkey rsa:3072-nodes -keyout ca.key -out ca.csr
Generating a RSA private key
........................................................................................................................++++
...............................++++
writing new private key to 'ca.key'
Enter PEM pass phrase:（输入复杂密码 不然生成控制机其他密码会生成不了）
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:i2（按需输入）
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:（输入前面输入的密码）
An optional company name []:

5、签发证书
# openssl x509 -req -days 365 -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -in ca.csr -signkey ca.key -out ca.crt

举例：
# openssl x509 -req -days 365 -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = CN, L = Default City, O = Default Company Ltd, CN = test-diff-name
Getting Private key
Enter pass phrase for ca.key:（输入前面输入的密码）

6、将证书拷贝到其他控制机
# scp /usr/info2soft/cntlcenter/etc/certs/* ip（其他控制机）:/usr/info2soft/cntlcenter/etc/certs/

以下操作再所有控制机执行
7、更新控制台ca密钥密码（要设置复杂密码简单的设置不了）
# /usr/info2soft/cntlcenter/bin/encrypt_tool pass update --ca
举例：
# /usr/info2soft/cntlcenter/bin/encrypt_tool pass update --ca
1.Please enter the initial password of CA Key:
*************
2.Please re-enter the initial password of CA Key:
*************

8、生成控制台其他其他证书
# /usr/info2soft/cntlcenter/bin/encrypt_tool certs init

举例：
# /usr/info2soft/cntlcenter/bin/encrypt_tool certs init
validating certificate period for ca certificate
2024-04-11T20:52:12.518+0800    info    [certs] Using the existing CA certificate "/usr/info2soft/cntlcenter/etc/certs/ca.crt" and key "/usr/info2soft/cntlcenter/etc/certs/ca.key"
2024-04-11T20:52:13.074+0800    info    [certs] Generating "console.up.com" certificate and key
2024-04-11T20:52:13.082+0800    info    [certs] console.up.com serving cert is signed for DNS names [localhost up up.default up.local vm40410151922253] and IPs [127.0.0.1 ::1 10.1.7.99]
2024-04-11T20:52:13.947+0800    info    [certs] Generating "db" certificate and key
2024-04-11T20:52:13.954+0800    info    [certs] db serving cert is signed for DNS names [localhost up up.default up.local vm40410151922253] and IPs [127.0.0.1 ::1 10.1.7.99]
2024-04-11T20:52:13.954+0800    info    [certs] Valid certificates and keys now exist in "/usr/info2soft/cntlcenter/etc/certs/"
2024-04-11T20:52:14.960+0800    info    [certs] Generating "st" key and public key
9、移动lic.crt文件到certs
#cp /usr/info2soft/cntlcenter/etc/certs.bak/lic.crt /usr/info2soft/cntlcenter/etc/certs
10、修改文件权限
#chown i2runner. /usr/info2soft/cntlcenter/etc/certs/ -R

11、启动i2up
#systemctl start i2up
12、浏览器登录
如果出现无法登录的情况，请关闭浏览器，重新打开
13、重置证书由于证书已经被替换，存在规则停止的情况，请注意，如果不能停止规则，请不要操作

14、开启规则

一、全新安装多控制机

1、正常安装控制机1
正常安装即可

2、控制机2上创建相关目录
#mkdir -p /usr/info2soft/cntlcenter/
3、拷贝控制机1 安装目录下etc目录到控制机2上
#scp -r /usr/info2soft/cntlcenter/etc/ ip://usr/info2soft/cntlcenter/

4、安装控制机2