Rotating Certificates

Page last updated:

See below for information about manually rotating the Spring Cloud Services certificates stored in the Tanzu Application Service for VMs (TAS) runtime CredHub.

Preparing to Rotate Certificates

Note: The following procedure uses the jq command-line JSON processing tool.

To rotate the certificates, you must authenticate with the BOSH Director VM.

Once authenticated, locate the Spring Cloud Services BOSH deployment:

$ bosh deployments

The Spring Cloud Services deployment is named p_spring-cloud-services-[UNIQUE-ID].

After locating the deployment, use the CredHub CLI to list the deployment’s Certificate Authority (CA) certificates:

$ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[] \
| select((.name | contains("p_spring-cloud-services-b97ed088d2495d6813a9")) and \ 
.versions[0].certificate_authority == true) | .name'

"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_galera_ca"

and the deployment’s intermediate (or leaf) certificates, which are signed by the CA certificates:

$ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[] | \
select((.name | contains("p_spring-cloud-services-b97ed088d2495d6813a9")) and \
.versions[0].certificate_authority == false) | .name'

"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_mysql_server_certificate"
"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_galera_server_certificate"

After rotating a CA certificate, you must regenerate the intermediate certificates signed by that CA certificate.

Rotating Certificates

Perform the following procedure for each of the Spring Cloud Services deployment’s two CA certificates.

  1. Look up the CA certificate:
    $ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
    
    You should see only one entry in the versions list. Copy the id of this version.
  2. Using the id copied in the previous step, generate a new transitional certificate version:
    $ credhub curl -p "/api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/regenerate" -d '{"set_as_transitional": true}' -X POST
    
    Visit the Ops Manager Installation Dashboard and apply your changes.
  3. Look up the CA certificate again:
    $ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
    
    The new certificate version currently has "transitional": true, and the old version has "transitional": false. Copy the id of the old version and use it to update the CA certificate, making the old version transitional:
    $ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": "834a4d40-d925-49f1-aced-a4362819d173"}' -X PUT
    
  4. Regenerate the intermediate certificates that are signed by this CA certificate:
    $ credhub regenerate -n /p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_mysql_server_certificate
    
    Return to the Ops Manager Installation Dashboard and apply your changes.
  5. Remove the old version of the certificate, leaving only the new version, which is no longer transitional:
    $ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": null}' -X PUT
    
    Again returning to the Ops Manager Installation Dashboard, apply your changes.