Skip to main content

Certificate Rotation

[edit on GitHub]

Certificate rotation is the replacement of existing certificates with new ones when any certificate expires or is based on your organization’s policy. A new CA authority is substituted for the old, requiring a replacement of the root certificate for the cluster.

The certificate rotation is also required when the key for a node, client, or CA is compromised. If compromised, you need to change the contents of a certificate. For example, to add another DNS name or the IP address of a load balancer to reach a node, you have to rotate only the node certificates.

Rotate using OpenSSL

You can generate the required certificates or use your organization’s existing certificates. To rotate your certificates(from cd /hab/a2_deploy_workspace path), that are used in Chef Automate High Availability (HA), follow the steps below:

  • Navigate to your workspace folder(example: cd /hab/a2_deploy_workspace) and execute the ./scripts/credentials set ssl --rotate all command. The command rotates all the certificates of your organization.

    Note

    When you run the above command for the first time, a series of certificates are created and saved in /hab/a2_deploy_workspace/certs location. Identify the appropriate certificate. For example, to rotate certificates for PostgreSQL, use certificate values into pg_ssl_private.key, pg_ssl_public.pem, and ca_root.pem. Similarly, to rotate certificates for OpenSearch, use certificate values into ca_root.pem, oser_admin_ssl_private.key, oser_admin_ssl_public.pem, oser_ssl_private.key, oser_ssl_public.pem, kibana_ssl_private.key, and kibana_ssl_public.pem.

  • To rotate the PostgreSQL certificates, execute the ./scripts/credentials set ssl --pg-ssl command.

  • To rotate the OpenSearch certificates, execute the ./scripts/credentials set ssl --oser-ssl command.

  • If your organization issues a certificate from an intermediate CA, place the respective certificate after the server certificate as per the order listed. In the certs/pg_ssl_public.pem, place the following ordered list:

    • Server Certificate
    • Intermediate CA Certificate 1
    • Intermediate CA Certificate n

  • Execute the ./scripts/credentials set ssl command (with the appropriate options). This command deploys the nodes.

  • Execute the ./scripts/credentials set ssl --help command. The command will provide an information and a list of commands related to certificate rotation.

  • For rotating the PostgreSQL credentials, execute the ./scripts/credentials set postgresql --auto command.

  • For rotating the OpenSearch credentials, execute the ./scripts/credentials set opensearch --auto command.

Certificate Rotation

Rotate using Own Organization Certificates

To use existing certificates of your organization, follow the steps given below:

Note

All the commands will run from /hab/a2_deploy_workspace.

  • Run ./scripts/credentials set ssl --rotate-all

    • Run this command (for the first time) to create a skeleton of certificates. The certificate can be located in /hab/a2_deploy_workspace/certs directory. For example: to rotate the certificates for PostgreSQL, save the content of the certificate in pg_ssl_private.key, pg_ssl_public.pem, and ca_root.pem. Similarly, tto rotate the PostgreSQL certificate, run the command. The ca_root will remain the same for all the certificates if the ca_root is same for all the other certificates like opensearch, kibana, or frontend. The only thing which changes is the content of the appropriate certificate.

    • To rotate OpenSearch certificates, insert the content of the certificate of CA to ca_root.pem, oser_admin_ssl_private.key, oser_admin_ssl_public.pem, oser_ssl_private.key, oser_ssl_public.pem, kibana_ssl_private.key, and kibana_ssl_public.pem.

    • To rotate a specific certificate, run the following commands:

    ./scripts/credentials set ssl --pg-ssl (This will rotate PostgreSQL Certificates)

    ./scripts/credentials set ssl --es-ssl

    • To change all the certificates, add contents to the appropriate file and run the following command:

    ./scripts/credentials set ssl --rotate-all

    • The following command will give you all the information about certificate rotation:

    ./scripts/credentials set ssl --help

If your organization issues a certificate from an Intermediate CA, add the certificate in the sequence as shown below:

Server Certificate
Intermediate CA Certificate 1
Intermediate CA Certificate n

Copy the above content to certs/pg_ssl_public.pem.

Was this page helpful?

×









Search Results