Rotating Certificates
Page last updated:
This topic describes how to check expiration dates and rotate certificates used by MySQL for PCF.
Rotate Services TLS Certificate Authority
To rotate the Services TLS CA and its leaf certificates, use one of the following procedures:
- Ops Manager v2.10: See Rotating the Services TLS CA and Its Leaf Certificates.
- Ops Manager v2.9: See Rotating the Services TLS CA and Its Leaf Certificates.
- Ops Manager v2.8: See Rotating the Services TLS CA and Its Leaf Certificates.
- Ops Manager v2.7: See Rotating the Services TLS CA and Its Leaf Certificates.
Ops Manager v2.9 and later is compatible with CredHub Maestro. MySQL for PCF v2.8 and later is compatible with CredHub Maestro.
Certificates Used by MySQL for PCF
The following table lists the certificates used by MySQL for PCF:
| Certificate | Rotated by MySQL for PCF? |
|---|---|
/services/tls_ca |
No |
/p-bosh/service-instance_GUID/mysql_tls |
No |
/p-bosh/service-instance_GUID/pxc_tls_ca |
No |
/p-bosh/service-instance_GUID/pxc_tls_server |
No |
/p-bosh/service-instance_GUID/pxc_internal_ca |
No |
/p-bosh/pivotal-mysql-GUID/agent_ca_2_6_x |
No |
/p-bosh/pivotal-mysql-GUID/agent_client_ssl_2_6_x |
No |
/p-bosh/pivotal-mysql-GUID/agent_server_ssl_2_6_x |
No |
/p-bosh/service-instance_GUID/agent_ca |
No |
/p-bosh/service-instance_GUID/agent_client_tls |
No |
/p-bosh/service-instance_GUID/agent_server_tls |
No |
/p-bosh/service-instance_GUID/streaming_backup_ca |
Yes |
/p-bosh/service-instance_GUID/streaming_backup_server_cert |
Yes |
In the above table, GUID is the GUID for the service instance. To find the GUID
for your service instance, follow the procedure in
Find Information about Your Service Instance.
If you are using a PXC-type database, MySQL for PCF rotates the Galera certificate by renaming it.