LATEST VERSION: 1.8 - CHANGELOG
PCF IPsec Add-On v1.8

Renewing Expired IPsec Certificates

Page last updated:

This topic describes the basic process that deployers may use to renew any soon-to-be-expiring certificates contained in the IPsec manifest.

About Certificate Expiration

The IPsec Add-on relies upon X.509 certificates to secure the communications between communicating peers.

Like all certificates, the IPsec certificates have a finite lifetime and eventually expire. The certificates generated by the procedure provided in the installation instructions, Generate a Self-Signed Certificate have a default lifetime of one year. Regardless of their specific lifetime, all certificates must eventually be rotated, and so it is important for the operations team to plan accordingly and remember to rotate the IPsec certificates before they actually expire.

IMPORTANT: Rotating the certificates while they are still valid ensures the maximum availability of the Cloud Foundry platform and avoids any unscheduled interruption in service.

Renew Expired IPsec Certificates

To renew expiring IPsec certificates, do the following:

  1. Retrieve the latest runtime config by running the following command:

    bosh runtime-config > PATH-TO-RUNTIME-CONFIG
    

  2. Generate a new set of certificates. For development or test environments, you can use self-signed certificates. For information about self-signed certificates, see Generate a Self-Signed Certificate.

  3. In the runtime config.yml file saved from step 1, update the optional field to true and update the certificate fields with new certificates. For more information about these fields, see the field descriptions under Create the IPsec Manifest.

    properties:
        ipsec:
          optional: true
          instance_certificate: |
            -----BEGIN CERTIFICATE-----
            EXAMPLEAhigAwIBAgIRAIvrBY2TttU/LeRhO+V1t0YwDQYJKoZIhvcNAQELBQAw
            ...
            -----END CERTIFICATE-----
          instance_private_key: |
            -----BEGIN RSA PRIVATE KEY-----
            EXAMPLExRSAxPRIVATExKEYxDATAxEXAMPLExRSAxPRIVATExKEYxDATA
            ...
            -----END RSA PRIVATE KEY-----
          ca_certificates:
            - |
              -----BEGIN CERTIFICATE-----
              ExampleAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwl0ZXN0
              ...
              -----END CERTIFICATE-----
            - |
              -----BEGIN CERTIFICATE-----
              ExampleAvGgAwIBAgIBATAAYDVQQDEwl0ZXN0NBgkqhkiG9w0BAQsFADAUMRIwE
              ...
              -----END CERTIFICATE-----
    

  4. Change the release version.

    releases:
    - {name: ipsec, version: NEW_VERSION}
    

  5. Update the runtime config by running the following command:

    bosh update runtime-config PATH-TO-SAVE-THE-RUNTIME-CONFIG
    

  6. Navigate to your Installation Dashboard in Ops Manager.

  7. Click Apply Changes.

  8. Remove the optional: true set in step 3.

  9. Repeat steps 5 to 7.

Create a pull request or raise an issue on the source for this page in GitHub