Here you will find information about manually rotating the Spring Cloud Services certificates stored in the Tanzu Application Service for VMs (TAS for VMs) runtime CredHub.
The following procedure uses the jq command-line JSON processing tool.
To rotate the certificates, you must authenticate with the BOSH Director VM.
Once authenticated, locate the Spring Cloud Services BOSH deployment:
$ bosh deployments
The Spring Cloud Services deployment is named p_spring-cloud-services-[UNIQUE-ID]
.
After locating the deployment, use the CredHub CLI to list the deployment's Certificate Authority (CA) certificates:
$ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[] \
| select((.name | contains("p_spring-cloud-services-b97ed088d2495d6813a9")) and \
.versions[0].certificate_authority == true) | .name'
"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_galera_ca"
and the deployment's intermediate (or leaf) certificates, which are signed by the CA certificates:
$ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[] | \
select((.name | contains("p_spring-cloud-services-b97ed088d2495d6813a9")) and \
.versions[0].certificate_authority == false) | .name'
"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_mysql_server_certificate"
"/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_galera_server_certificate"
After rotating a CA certificate, you must regenerate the intermediate certificates signed by that CA certificate.
Perform the following procedure for each of the Spring Cloud Services deployment's two CA certificates.
Look up the CA certificate:
$ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
You should see only one entry in the versions
list. Copy the id
of this version.
Using the id
copied in the previous step, generate a new transitional certificate version:
$ credhub curl -p "/api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/regenerate" -d '{"set_as_transitional": true}' -X POST
Visit the Ops Manager Installation Dashboard and apply your changes.
Look up the CA certificate again:
$ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
The new certificate version currently has "transitional": true
, and the old version has "transitional": false
. Copy the id
of the old version and use it to update the CA certificate, making the old version transitional
:
$ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": "834a4d40-d925-49f1-aced-a4362819d173"}' -X PUT
Regenerate the intermediate certificates that are signed by this CA certificate:
$ credhub regenerate -n /p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_mysql_server_certificate
Return to the Ops Manager Installation Dashboard and apply your changes.
Remove the old version of the certificate, leaving only the new version, which is no longer transitional:
$ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": null}' -X PUT
Again returning to the Ops Manager Installation Dashboard, apply your changes.
If applications fail to connect post rotation, it is recommended that you restart the service instances affected to resolve the issue.