LATEST VERSION: 1.8 - CHANGELOG
PCF IPsec Add-On v1.8

Rotating IPsec Credentials

Page last updated:

This topic describes the process Pivotal recommends to increase deployment security by rotating credentials in the IPsec manifest. Your organizational security policy may specify how often you should apply these changes.

There are two procedures for credential rotation described in this topic.

  • Procedure 1 describes rotating the following credentials specified in your IPsec manifest:

    • The instance certificate and instance private key This procedure requires updating BOSH. It does not include rotating the certificate authority (CA) certificate.
  • Procedure 2 describes rotating your CA certificate in addition to your instance certificate and instance private key. This procedure requires updating BOSH three times.

Note: The rolling deploys during these procedures result in minimal deployment downtime.

Procedure 1: Rotate the Instance Certificate and Instance Private Key

Follow the steps below to rotate the instance certificate and instance private key.

  1. Generate a new certificate and use your existing IPsec CA certificate to sign the new certificate.

  2. Update the instance certificate and the private key fields in your ipsec-addon.yml file with new values from the previous step.

  3. Run the following command:

    $ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml
    

    Note: The following step results in a few minutes of application downtime.

  4. Navigate to your Ops Manager interface in a browser, and click Apply Changes.

Procedure 2: Rotate the CA Certificate, the Instance Certificate, and Instance Private Key

Follow these steps to rotate the CA certificate, instance certificate, and instance private key.

  1. Generate a new CA certificate.

  2. Append the newly generated CA certificate under the existing certificate in your ipsec-addon.yml.

  3. Run the following command:

    $ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml

    Note: The following step results in a few minutes of application downtime.

  4. Navigate to your Ops Manager interface in a browser, and click Apply Changes.

  5. Generate a new certificate and use your new CA certificate to sign the new certificate.

  6. Update the instance certificate and the private key fields in the your ipsec-addon.yml file with new values from above.

  7. Run the following command:

    $ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml

    Note: The following step results in a few minutes of application downtime.

  8. Navigate to your Ops Manager interface in a browser, and click Apply Changes.

  9. Delete the older CA certificate in the ipsec-addon.yml file.

  10. Run the following command:

    $ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml

    Note: The following step results in a few minutes of application downtime.

  11. Navigate to your Ops Manager interface in a browser, and click Apply Changes.

Create a pull request or raise an issue on the source for this page in GitHub