Rotating Certificates

Warning: MySQL for PCF v2.6x is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

Page last updated:

This topic describes how to check expiration dates and rotate certificates used by MySQL for PCF.

Rotate Services TLS Certificate Authority

To rotate the Services TLS CA and its leaf certificates, use one of the following procedures:

Ops Manager v2.9 and later is compatible with CredHub Maestro. MySQL for PCF v2.8 and later is compatible with CredHub Maestro.

Certificates Used by MySQL for PCF

The following table lists the certificates used by MySQL for PCF:

Certificate Rotated by MySQL for PCF?
/services/tls_ca No
/p-bosh/service-instance_GUID/mysql_tls No
/p-bosh/service-instance_GUID/pxc_tls_ca No
/p-bosh/service-instance_GUID/pxc_tls_server No
/p-bosh/service-instance_GUID/pxc_internal_ca No
/p-bosh/pivotal-mysql-GUID/agent_ca_2_6_x No
/p-bosh/pivotal-mysql-GUID/agent_client_ssl_2_6_x No
/p-bosh/pivotal-mysql-GUID/agent_server_ssl_2_6_x No
/p-bosh/service-instance_GUID/agent_ca No
/p-bosh/service-instance_GUID/agent_client_tls No
/p-bosh/service-instance_GUID/agent_server_tls No
/p-bosh/service-instance_GUID/streaming_backup_ca Yes
/p-bosh/service-instance_GUID/streaming_backup_server_cert Yes

In the above table, GUID is the GUID for the service instance. To find the GUID for your service instance, follow the procedure in Find Information about Your Service Instance.

If you are using a PXC-type database, MySQL for PCF rotates the Galera certificate by renaming it.