Full procedure for renewal of self signed certs?

Hi all! I have a fleet operating with a self signed cert that is about to expire. I have mostly used the answers in this post to get both my root and vpn certs updated.

So, I believe my certs in config/certs/vpn and config/certs/root are good to go, but what about config/certs/api? This cert has a similar 2 year expiration, but I’m not sure what it is used for or how to renew it properly. I believe this is not used for serving the API despite its name because I see the root cert used for the api subdomain.

Any help/tips would be greatly appreciated! Thank you!

VPN and root do seem to cover the essentials, though there are some nuances around the OpenBalena → BalenaOS API (remote logging or certain remote access features besides basic tunnel?) that I am not sure about. My guess was that @dash’s method for VPN would also work for API with adjustments, but will leave that to someone who has tried it.

I believe the cert in question is related to JOSE/JWT? It appears I can leave it expired…