Skip to main content

Certificate Rotation

[edit on GitHub]

Warning

Chef Automate 4.x will not be available for download before the end of September 2022. We are working on making the upgrade process a seamless experience. Until then, you can download Chef Automate 3.0.49. Please get in touch with support for more information.

Certificate rotation is the replacement of existing certificates with new ones when any certificate expires or is based on your organization’s policy. A new CA authority is substituted for the old, requiring a replacement of the root certificate for the cluster.

The certificate rotation is also required when the key for a node, client, or CA is compromised. If compromised, you need to change the contents of a certificate. For example, to add another DNS name or the IP address of a load balancer to reach a node, you have to rotate only the node certificates.

Rotate using OpenSSL

You can generate the required certificates or use your organization’s existing certificates. To rotate your certificates(from cd /hab/a2_deploy_workspace path), that are used in Chef Automate High Availability (HA), follow the steps below:

  • Navigate to your workspace folder(example: cd /hab/a2_deploy_workspace) and execute the ./scripts/credentials set ssl --rotate all command. The command rotates all the certificates of your organization.

    Note

    When you run the above command for the first time, a series of certificates are created and saved in /hab/a2_deploy_workspace/certs location. Identify the appropriate certificate. For example, to rotate certificates for PostgreSQL, use certificate values into pg_ssl_private.key, pg_ssl_public.pem, and ca_root.pem. Similarly, to rotate certificates for OpenSearch, use certificate values into ca_root.pem, oser_admin_ssl_private.key, oser_admin_ssl_public.pem, oser_ssl_private.key, oser_ssl_public.pem, kibana_ssl_private.key, and kibana_ssl_public.pem.
  • To rotate the PostgreSQL certificates, execute the ./scripts/credentials set ssl --pg-ssl command.

  • To rotate the OpenSearch certificates, execute the ./scripts/credentials set ssl --oser-ssl command.

  • If your organization issues a certificate from an intermediate CA, place the respective certificate after the server certificate as per the order listed. In the certs/pg_ssl_public.pem, place the following ordered list:

    • Server Certificate
    • Intermediate CA Certificate 1
    • Intermediate CA Certificate n
  • Execute the ./scripts/credentials set ssl command (with the appropriate options). This command deploys the nodes.

  • Execute the ./scripts/credentials set ssl --help command. The command will provide an information and a list of commands related to certificate rotation.

  • For rotating the PostgreSQL credentials, execute the ./scripts/credentials set postgresql --auto command.

  • For rotating the OpenSearch credentials, execute the ./scripts/credentials set opensearch --auto command.

Certificate Rotation

Rotate using Own Organization Certificates

To use existing certificates of your organization, follow the steps given below:

Note

All the commands will run from /hab/a2_deploy_workspace.
  • Run ./scripts/credentials set ssl --rotate-all

    • Run this command (for the first time) to create a skeleton of certificates. The certificate can be located in /hab/a2_deploy_workspace/certs directory. For example: to rotate the certificates for PostgreSQL, save the content of the certificate in pg_ssl_private.key, pg_ssl_public.pem, and ca_root.pem. Similarly, tto rotate the PostgreSQL certificate, run the command. The ca_root will remain the same for all the certificates if the ca_root is same for all the other certificates like opensearch, kibana, or frontend. The only thing which changes is the content of the appropriate certificate.

    • To rotate OpenSearch certificates, insert the content of the certificate of CA to ca_root.pem, oser_admin_ssl_private.key, oser_admin_ssl_public.pem, oser_ssl_private.key, oser_ssl_public.pem, kibana_ssl_private.key, and kibana_ssl_public.pem.

    • To rotate a specific certificate, run the following commands:

    ./scripts/credentials set ssl --pg-ssl (This will rotate PostgreSQL Certificates)

    ./scripts/credentials set ssl --es-ssl

    • To change all the certificates, add contents to the appropriate file and run the following command:

    ./scripts/credentials set ssl --rotate-all

    • The following command will give you all the information about certificate rotation:

    ./scripts/credentials set ssl --help

If your organization issues a certificate from an Intermediate CA, add the certificate in the sequence as shown below:

Server Certificate
Intermediate CA Certificate 1
Intermediate CA Certificate n

Copy the above content to certs/pg_ssl_public.pem.

Was this page helpful?

×









Search Results