Certificate Rotation
This page describes the rotation of certificates for the standalone components, such as the a9s Backup Manager or the a9s SPIs, as well as the components that are colocated on a Service Instance like the a9s Backup Agent.
It may be necessary to rotate either only the leaf certificates themselves or the CA certificate as well. Depending on the use case, further steps are required. These are explained in the following sections.
Leaf Certificate Rotation
Service Instance's Colocated Components
The leaf certificates of components that are colocated on an individual Service Instance can be rotated by using the
custom parameter force_certificate_rotation
:
cf update-service <service_instance_name> -c '{"force_certificate_rotation": true}'
Standalone Components
To rotate a leaf certificate of a standalone component, CredHub must be used to regenerate the related certificate:
credhub regenerate -n '<path-to-certificate>'
And apply the new leaf certificate with bosh deploy
:
bosh -d <deployment-name> deploy (...)
CA Certificate Rotation
For the CA certificates rotation, the rotation steps provided by CredHub are used. For more information, see CredHub Rotation documentation.
CredHub MUST have the credhub.certificates.concatenate_cas
configuration set to true
.
Step 1: Regenerate the Root CA
First, retrieve the id of the CA certificate (/a9s_private_components_ca
):
credhub curl -p "/api/v1/certificates?name=/a9s_private_components_ca"
Example output
{
"certificates": [
{
"id": "8f8cbee2-af90-4afb-9f57-e934e2cb4dcf",
"name": "/a9s_private_components_ca",
"signed_by": "/a9s_private_components_ca",
(...)
Then, use the id
to regenerate the CA certificate:
credhub curl -p "/api/v1/certificates/8f8cbee2-af90-4afb-9f57-e934e2cb4dcf/regenerate" \
-d '{"set_as_transitional": true}' -X POST
After this step, the old CA and the new CA have been concatenated.
They must now be applied as follows:
- Standalone components must be updated with
bosh deploy
. - Colocated components must be updated using the a9s Deployment Updater of the corresponding a9s Data Service. For
this, the
strategy.update.instance_type
property of the a9s Deployment Updater MUST be set toprovisioned
.
Step 2: Regenerate Leaf Certificates with the New CA Certificate
First, retrieve the CAs and identify the id
for each certificate version:
credhub curl -p "/api/v1/data?name=/a9s_private_components_ca¤t=true"
Example output
{
"data": [
{
"certificate_authority": true,
"expiry_date": "2024-02-22T22:18:58Z",
"generated": true,
"id": "ac1b5129-4865-4473-84e9-902afee18921",
"metadata": null,
"name": "/a9s_private_components_ca",
"self_signed": true,
"transitional": false,
"type": "certificate",
(...)
},
{
"certificate_authority": true,
"expiry_date": "2024-02-23T03:22:31Z",
"generated": true,
"id": "90cfe1cc-9f51-4824-a775-0f22d53d5a20",
"metadata": null,
"name": "/a9s_private_components_ca",
"self_signed": true,
"transitional": true,
"type": "certificate",
(...)
Identify the certificate version with the transitional
flag set to false
, and switch the transitional flag:
credhub curl -p /api/v1/certificates/8f8cbee2-af90-4afb-9f57-e934e2cb4dcf/update_transitional_version \
-d '{ "version": "ac1b5129-4865-4473-84e9-902afee18921" }' -X PUT
Then, regenerate all leaf certificates signed by the CA on /a9s_private_components_ca
.
The new certificates will be generated and signed with the new CA certificate.
credhub bulk-regenerate --signed-by=/a9s_private_components_ca
They must now be applied as follows:
- Standalone components must be updated with
bosh deploy
. - Colocated components must be updated using the a9s Deployment Updater of the corresponding a9s Data Service. For
this, the
strategy.update.instance_type
property of the a9s Deployment Updater MUST be set toprovisioned
.
Step 3: Remove the Old CA Certificate
First, remove the old CA certificate from CredHub:
credhub curl -p /api/v1/certificates/8f8cbee2-af90-4afb-9f57-e934e2cb4dcf/update_transitional_version \
-d '{"version": null}' -X PUT
They must now be applied as follows:
- Standalone components must be updated with
bosh deploy
. - Colocated components must be updated using the a9s Deployment Updater of the corresponding a9s Data Service. For
this, the
strategy.update.instance_type
property of the a9s Deployment Updater MUST be set toprovisioned
.
After that, the old CA certificate should have been removed, and there only be the new CA certificate and the new leaf certificates signed by the new CA.