forked from joemoore/docs-addon-ipsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
renewing.html.md.erb
71 lines (58 loc) · 3.32 KB
/
renewing.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
---
title: Renewing Expired IPsec Certificates
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This topic describes the basic process that deployers may use to renew any soon-to-be-expiring certificates contained in
the IPsec manifest.
##<a id="about-expiration"></a>About Certificate Expiration
The IPsec Add-on relies upon X.509 certificates to secure the communications between communicating peers.
Like all certificates, the IPsec certificates have a finite lifetime and eventually expire. The certificates generated by the
procedure provided in the installation instructions, [Generate a Self-Signed Certificate](./installing.html#self-signed)
have a default lifetime of one year. Regardless of their specific lifetime, all certificates must eventually be rotated, and so
it is important for the operations team to plan accordingly and remember to rotate the IPsec certificates before they actually expire.
<p class="note"><strong>IMPORTANT</strong>: Rotating the certificates while they are still valid
ensures the maximum availability of the Cloud Foundry platform and avoids any unscheduled interruption in service.</p>
##<a id="renew-certs"></a>Renew Expired IPsec Certificates
To renew expiring IPsec certificates, do the following:
1. Retrieve the latest runtime config by running one of the following commands:
* **For Ops Manager v1.10 or earlier:**
`bosh runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG`
* **For Ops Manager v1.11 or later:**
`bosh2 -e BOSH-ENVIRONMENT runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG`
2. Generate a new set of certificates.
For development or test environments, you can use self-signed certificates.
For information about self-signed certificates, see [Generate a Self-Signed Certificate](./installing.html#self-signed).
3. In the runtime `config.yml` file saved from step 1, update the `optional` field to `true` and update the certificate fields with new certificates.
For more information about these fields,
see the field descriptions under [Create the IPsec Manifest](./installing.html#create-mfest).
<pre>
properties:
ipsec:
<strong>optional</strong>: true
<strong>instance\_certificate</strong>: |
-----BEGIN CERTIFICATE-----
EXAMPLEAhigAwIBAgIRAIvrBY2TttU/LeRhO+V1t0YwDQYJKoZIhvcNAQELBQAw
...
-----END CERTIFICATE-----
<strong>instance\_private\_key</strong>: |
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
EXAMPLExRSAxPRIVATExKEYxDATAxEXAMPLExRSAxPRIVATExKEYxDATA
...
-----END EXAMPLE RSA PRIVATE KEY-----
<strong>ca\_certificates</strong>:
\- |
-----BEGIN CERTIFICATE-----
ExampleAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwl0ZXN0
...
-----END CERTIFICATE-----
</pre>
4. Update the runtime config by running one of the following commands:
* **For Ops Manager v1.10 or earlier:**
`bosh update runtime-config PATH_TO_SAVE_THE_RUNTIME_CONFIG`
* **For Ops Manager v1.11 or later:**
`bosh2 -e BOSH-ENVIRONMENT update-runtime-config PATH-TO-SAVE-THE-RUNTIME-CONFIG`<br>
5. Navigate to your **Installation Dashboard** in Ops Manager.
6. Click **Apply Changes**.
7. Remove the `optional: true` set in step 3.
8. Repeat steps 4 to 6.