LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.10

Regenerating and Rotating Non-Configurable TLS/SSL Certificates

Depending on the requirements of your deployment, at some point you may need to rotate your CA certificates. Certificates can expire or fall out of currency, or your organization’s security compliance policies may require you to rotate certificates periodically.

Rotate the certificates in your Pivotal Cloud Foundry (PCF) deploying using API calls in the command line. PCF provides different API calls with which to manage certificates and certificate authorities (CAs). New certificates generated through this process use SHA-256 encryption.

These API calls allow you to create new CAs, apply them, and delete old CAs. The process of activating a new CA and rotating it in gives new certificates to the Ops Manager Director. The Ops Manager Director then passes the certificates to other components in your PCF deployment.

Follow the procedures below in order to apply new CAs with minimal risk.

Note: These procedures require you to return to Ops Manager and click Apply Changes periodically. Clicking Apply Changes redeploys the Ops Manager Director and its tiles. If you apply your changes during each procedure, a successful redeploy verifies that the certificate rotation process is proceeding correctly.

Creating a New Certificate Authority (CA)

  1. Open the command line.

  2. Open a web browser and navigate to Ops Manager.

  3. In Ops Manager, click Apply Changes.

  4. On the command line, enter the following API call with an empty request:

    curl "https://EXAMPLE.com/api/v0/certificate_authorities/EXAMPLE-CERT-GUID/activate" \ 
    -X POST \ 
    -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN" \ 
    -H "Content-Type: application/json" \ 
    -d '{}'
    

    The API returns a successful response, including a new certificate.
    HTTP/1.1 200 OK
    {
    "guid": "f7bc18f34f2a7a9403c3",
    "issuer": "Pivotal",
    "created_on": "2017-01-19",
    "expires_on": "2021-01-19",
    "active": false,
    "cert_pem": "-----BEGIN EXAMPLE CERTIFICATE-----
    MIIC+zCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADAfMQswCQYDVQQGEwJVUzEQ
    MA4GA1UECgwHUGl2b3RhbDAeFw0xNzAxMTgyMTQyMjVaFw0yMTAxMTkyMTQyMjVa
    MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdQaXZvdGFsMIIBIjANBgkqhkiG9w0B
    AQEFAAOCAQ8AMIIBCgKCAQEAyV4OhPIIZTEym9OcdcNVip9Ev0ijPPLo9WPLUMzT
    IrpDx3nG/TgD+DP09mwVXfqwBlJmoj9DqRED1x/6bc0Ki/BAFo/P4MmOKm3QnDCt
    o+4RUvLkQqgA++2HYrNTKWJ5fsXmERs8lK9AXXT7RKXhktyWWU3oNGf7zo0e3YKp
    l07DdIW7h1NwIbNcGT1AurIDsxyOZy1HVzLDPtUR2MxhJmSCLsOw3qUDQjatjXKw
    82RjcrswjG3nv2hvD4/aTOiHuKM3+AGbnmS2MdIOvFOh/7Y79tUp89csK0gs6uOd
    myfdxzDihe4DcKw5CzUTfHKNXgHyeoVOBPcVQTp4lJp1iQIDAQABo0IwQDAdBgNV
    HQ4EFgQUyH4y7VEuImLStXM0CKR8uVqxX/gwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
    HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBALmHOPxdyBGnuR0HgR9V4TwJ
    tnKFdFQJGLKVT7am5z6G2Oq5cwACFHWAFfrPG4W9Jm577QtewiY/Rad/PbkY0YSY
    rehLThKdkrfNjxjxI0H2sr7qLBFjJ0wBZHhVmDsO6A9PkfAPu4eJvqRMuL/xGmSQ
    tVkzgYmnCynMNz7FgHyFbd9D9X5YW8fWGSeVBPPikcONdRvjw9aEeAtbGEh8eZCP
    aBQOgsx7b33RuR+CTNqThXY9k8d7/7ba4KVdd4gP8ynFgwvnDQOjcJZ6Go5QY5HA
    R+OgIzs3PFW8pAYcvWrXKR0rE8fL5o9qgTyjmO+5yyyvWIYrKPqqIUIvMCdNr84=
    -----END EXAMPLE CERTIFICATE-----
    "
    }
    This creates a new CA.

Activating the New CA

  1. On the command line, enter the following API call:

    curl "https://EXAMPLE.com/api/v0/certificate_authorities" \ 
    -X GET \ 
    -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"
    The new CA displays, marked as inactive.

  2. In Ops Manager, click Apply Changes.

  3. On the command line, enter the following API call with an empty request:

    curl "https://EXAMPLE.com/api/v0/certificate_authorities/EXAMPLE-CERT-GUID/activate" \ 
    -X POST \ 
    -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN" \ 
    -H "Content-Type: application/json" \ 
    -d '{}' 
    
    The API returns a successful response.
    HTTP/1.1 200 OK
    This activates the new CA.

Regenerating Non-Configurable Certificates to Apply the New CA

  1. On the command line, enter the following API call with an empty request:

    curl "https://EXAMPLE.com/api/v0/certificate_authorities/active/regenerate" \ 
    -X POST \ 
    -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN" \ 
    -H "Content-Type: application/json" \ 
    -d '{}'
    
    The API returns a successful response.
    HTTP/1.1 200 OK
    This regenerates all non-configurable certificates and applies the new CA to your existing Ops Manager Director.

  2. In Ops Manager, click Apply Changes.

Deleting the Old CA

  1. On the command line, enter the following API call:

    curl "https://EXAMPLE.com/api/v0/certificate_authorities/:guid" \ 
    -X DELETE \ 
    -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"
    
    The API returns a successful response.
    HTTP/1.1 200 OK
    This deletes the old, inactive CA.

  2. In Ops Manager, click Apply Changes.

Create a pull request or raise an issue on the source for this page in GitHub