Certificate Rotation
Warning
Certificate rotation replaces existing certificates with new ones when any certificate expires or is based on your organization’s policy. A new CA authority is substituted for the old, requiring a replacement of the root certificate for the cluster.
The certificate rotation is also required when the key for a node, client, or CA is compromised. If compromised, you need to change the contents of a certificate. For example, to add another DNS name or the IP address of a load balancer to reach a node, you have to rotate only the node certificates.
Prerequisites
- Either existing certificates can be used or to generate new ones, click here
Rotate using Cert-Rotate Command
Note
- Below
cert-rotatecommands can only be executed frombastion host. - If you want to use certificates stored in another node of the HA cluster, you can provide the remote path to the certificates using the
<IP_ADDRESS_OF_NODE>:<ABSOLUTE_PATH_TO_THE_CERT_FILE>format instead of the local path.
Rotate Certificates of each service
If you want to rotate certificates of the entire cluster, then you can follow the below commands:
- To rotate certificates of automate cluster:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --root-ca <path of root certificate> --a2
You can also use --automate or -a instead of a2 flag
- To rotate certificates of chef server cluster:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --cs
You can also use --chef_serveror -c instead of the cs flag.
- To rotate certificates of the PostgreSQL cluster:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --root-ca <path of root certificate> --pg
You can also use --postgresql or -p instead of the pg flag.
- To rotate certificates of OpenSearch cluster:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --root-ca <path of root certificate> --admin-cert <path of admin certificate> --admin-key <path of admin key> --os
You can also use --opensearch or -o instead of the os flag.
Rotate Certificates of Particular Node
Note
If you want to rotate certificates of a particular node, then you can follow the below commands:
- To rotate the certificates of particular automate node:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --a2 --node <IP of a particular automate node>
You can also use --automate or -a instead of a2 flag
- To rotate the certificates of particular chef server node:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --cs --node <IP of a particular chef server node>
You can also use --chef_server or -c instead of the cs flag.
- To rotate the certificates of a particular PostgreSQL node:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --pg --node <IP of a particular postgresql node>
You can also use --postgresql or -p instead of the pg flag.
- To rotate the certificates of a particular OpenSearch node:
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --os --node <IP of a particular opensearch node>
You can also use --opensearch or -o instead of the os flag
Note
chef-automate cert-rotate --public-cert <path of public certificate> --private-cert <path of private certificate> --root-ca <path of root certificate> --admin-cert <path of admin certificate> --admin-key <path of admin key> --osWas this page helpful?