I have existing validation and webui private keys that I wish to use on a new chef-server deployment. Part of my bootstrap template copies these keys to /etc/chef/. When chef-solo does its run and starts chef-server how can I prevent it from overwriting /etc/chef/validation.pem and /etc/chef/webui.pem.
Alternatively, is there a process to replace validation.pem and webui.pem with another pair of keys that I have in hand? All I can find is instructions on having the server regenerate them.
Best Answer
validation.pem is the private key of a special client in chef server named chef-validator. While webui.pem is the private key of chef client webui.
You can regenerate the private/public keys of any client via knife API or chef server web UI.
Personally I would not suggest "replace" a private key but regenerate it because this is sensitive data and you'd better not keep using a special one for a long time. Instead, please regenerate them in a certain period for security reason.
However, it's doable to hack bookshelf data store under
/var/opt/chef-server/bookshelf/dataof your chef 11 server host to change the public key stored in an object file. For example, you can extract the object URL when you performing commandknife client show chef-validator -VV. I strongly dis-recommend this way because it's hacking.