Overview of Certificate Rotation
Page last updated:
This topic provides an overview of rotating certificate authorities (CAs) and leaf certificates in Pivotal Cloud Foundry (PCF).
The Ops Manager API manages and lists internal CAs and leaf certificates that enable PCF components to communicate with each other securely using TLS. It can also list certificates used externally, such as SAML certificates that authenticate to an external identity provider (IDP).
For more information about the CAs and leaf certificates visible to the Ops Manager API, see Certificate Types.
Rotate CAs and leaf certificates before they expire to avoid downtime for your deployment. To rotate certificates in PCF, first check the expiration dates of all certificates. Then, based on the types of certificates that expire soon, follow a certificate rotation procedure to replace expiring certificates and deploy BOSH to apply changes.
Before determining which certificate rotation procedure to follow, you must determine:
- Which types of CAs and leaf certificates exist in your deployment.
- Which CAs and leaf certificates are due to expire soon.
To check the types and expiration dates of your certificates, see Checking Expiration Dates and Certificate Types.
The topics listed in this section explain procedures for rotating CAs and leaf certificates in PCF. There are different rotation procedures for each type of certificate that requires rotation.
Warning: The rotation procedures described in the topics below do not work if the certificates have already expired. If the certificates have expired, contact Pivotal Support for guidance.
To rotate certificates, follow one of these procedures:
To rotate non-rotatable certificates, contact Pivotal Support.
To rotate the Ops Manager root CA and leaf certificates, see Rotating the Root CA and Leaf Certificates. This procedure also rotates the BOSH NATS CA.
To rotate non-configurable leaf certificates, but not the Ops Manager root CA or BOSH NATS CA, see Rotating Non-Configurable Leaf Certificates.
To rotate configurable leaf certificates, but not the Ops Manager root CA or BOSH NATS CA, see Rotating Configurable Leaf Certificates.
To rotate the Services TLS CA certificate, see Rotating the Services TLS CA and Its Leaf Certificates.
Other certificates that the Ops Manager API does not rotate include:
IDP SAML certificates. To rotate IDP SAML certificates, see Rotating Identity Provider SAML Certificates.
IPsec certificates. To rotate IPsec certificates, see Rotating IPsec Certificates in the IPsec Add-On for PCF documentation.
Certificates for any products that you deploy manually with BOSH. To rotate these certificates, you must re-deploy the BOSH release and re-create its VMs using the BOSH CLI.