Renewing Expired IPsec Certificates
Note: Pivotal Platform is now part of VMware Tanzu. In v1.9 and later, Pivotal IPsec is named IPsec for VMware Tanzu.
Page last updated:
This topic describes the basic process that deployers can use to renew any already expired certificates contained in the IPsec for VMware Tanzu manifest.
IPsec relies upon X.509 certificates to secure the communications between communicating peers.
Like all certificates, IPsec certificates have a finite lifetime and eventually expire. The certificates generated by the procedure provided in the installation instructions, Generate a Self-Signed Certificate have a default lifetime of one year. Regardless of their specific lifetime, all certificates must eventually be rotated, and so it is important for the operations team to plan accordingly and remember to rotate IPsec certificates before they actually expire.
Note: Rotating the certificates while they are still valid avoids any unscheduled interruption in service.
To renew expired IPsec certificates, do the following:
Retrieve the latest runtime config by running the following command:
bosh -e BOSH-ENVIRONMENT runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG
Generate a new set of certificates.
For development or test environments, you can use self-signed certificates. For information about self-signed certificates, see Generate a Self-Signed Certificate.
In the runtime
config.ymlfile saved from step 1, update the
trueand update the certificate fields with new certificates. For more information about these fields, see the field descriptions under Create the IPsec Manifest.
properties: ipsec: optional: true instance_certificate: | -----BEGIN CERTIFICATE----- EXAMPLEAhigAwIBAgIRAIvrBY2TttU/LeRhO+V1t0YwDQYJKoZIhvcNAQELBQAw ... -----END CERTIFICATE----- instance_private_key: | -----BEGIN EXAMPLE RSA PRIVATE KEY----- EXAMPLExRSAxPRIVATExKEYxDATAxEXAMPLExRSAxPRIVATExKEYxDATA ... -----END EXAMPLE RSA PRIVATE KEY----- ca_certificates: - | -----BEGIN CERTIFICATE----- EXAMPLEAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwl0ZXN0 ... -----END CERTIFICATE-----
Update the runtime config by running the following command:
bosh -e BOSH-ENVIRONMENT update-runtime-config --name=ipsec PATH-TO-SAVE-THE-RUNTIME-CONFIG
Navigate to your Installation Dashboard in Ops Manager.
If you are using Ops Manager v2.3 or later, click Review Pending Changes. For more information about this Ops Manager page, see Reviewing Pending Product Changes.
Click Apply Changes.
optional: trueset in step 3.
Repeat steps 4 to 7.