Certificate Rotation
Warning
Certificate rotation is the replacement of existing certificates with new ones when any certificate expires or is based on your organization’s policy. A new CA authority is substituted for the old, requiring a replacement of the root certificate for the cluster.
The certificate rotation is also required when the key for a node, client, or CA is compromised. If compromised, you need to change the contents of a certificate. For example, to add another DNS name or the IP address of a load balancer to reach a node, you have to rotate only the node certificates.
Rotate using OpenSSL
You can generate the required certificates or use your organization’s existing certificates. To rotate your certificates(from cd /hab/a2_deploy_workspace
path), that are used in Chef Automate High Availability (HA), follow the steps below:
Navigate to your workspace folder(example:
cd /hab/a2_deploy_workspace
) and execute the./scripts/credentials set ssl --rotate all
command. The command rotates all the certificates of your organization.Note
When you run the above command for the first time, a series of certificates are created and saved in/hab/a2_deploy_workspace/certs
location. Identify the appropriate certificate. For example, to rotate certificates for PostgreSQL, use certificate values into pg_ssl_private.key, pg_ssl_public.pem, and ca_root.pem. Similarly, to rotate certificates for OpenSearch, use certificate values into ca_root.pem, oser_admin_ssl_private.key, oser_admin_ssl_public.pem, oser_ssl_private.key, oser_ssl_public.pem, kibana_ssl_private.key, and kibana_ssl_public.pem.To rotate the PostgreSQL certificates, execute the
./scripts/credentials set ssl --pg-ssl
command.To rotate the OpenSearch certificates, execute the
./scripts/credentials set ssl --oser-ssl
command.
If your organization issues a certificate from an intermediate CA, place the respective certificate after the server certificate as per the order listed. In the
certs/pg_ssl_public.pem
, place the following ordered list:- Server Certificate
- Intermediate CA Certificate 1
- Intermediate CA Certificate n
Execute the
./scripts/credentials set ssl
command (with the appropriate options). This command deploys the nodes.Execute the
./scripts/credentials set ssl --help
command. The command will provide an information and a list of commands related to certificate rotation.For rotating the PostgreSQL credentials, execute the
./scripts/credentials set postgresql --auto
command.For rotating the OpenSearch credentials, execute the
./scripts/credentials set opensearch --auto
command.
Rotate using Own Organization Certificates
To use existing certificates of your organization, follow the steps given below:
Note
/hab/a2_deploy_workspace
.Run
./scripts/credentials set ssl --rotate-all
Run this command (for the first time) to create a skeleton of certificates. The certificate can be located in
/hab/a2_deploy_workspace/certs
directory. For example: to rotate the certificates for PostgreSQL, save the content of the certificate inpg_ssl_private.key
,pg_ssl_public.pem
, andca_root.pem
. Similarly, tto rotate the PostgreSQL certificate, run the command. Theca_root
will remain the same for all the certificates if theca_root
is same for all the other certificates like opensearch, kibana, or frontend. The only thing which changes is the content of the appropriate certificate.To rotate OpenSearch certificates, insert the content of the certificate of CA to
ca_root.pem
,oser_admin_ssl_private.key
,oser_admin_ssl_public.pem
,oser_ssl_private.key
,oser_ssl_public.pem
,kibana_ssl_private.key
, andkibana_ssl_public.pem
.To rotate a specific certificate, run the following commands:
./scripts/credentials set ssl --pg-ssl
(This will rotate PostgreSQL Certificates)./scripts/credentials set ssl --es-ssl
- To change all the certificates, add contents to the appropriate file and run the following command:
./scripts/credentials set ssl --rotate-all
- The following command will give you all the information about certificate rotation:
./scripts/credentials set ssl --help
If your organization issues a certificate from an Intermediate CA, add the certificate in the sequence as shown below:
Server Certificate
Intermediate CA Certificate 1
Intermediate CA Certificate n
Copy the above content to certs/pg_ssl_public.pem
.
Was this page helpful?