Manage Certificates

Rotate user-provided server certificates

When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the server certificates by updating the contents of the Kubernetes Secret.

For example, if you’ve used .pem files to provide certificates, then update the server.pem certificate and server-key.pem certificate private key and update the Kubernetes secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.

Rotate certificate authority

When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the certificate authority used through a two-step process.

In this section, we’ll assume you’ve used .pem files to provide certificates.

1. Append new certificate authority

Append the new intermediate/root CA to the ca.pem. It will co-exist with the old intermediate/root CA.

file name: ca.pem
content:
-----BEGIN CERTIFICATE-----
<old root CA certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<new root CA certificate>
-----END CERTIFICATE-----

Update the secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new root CA for use alongside the old root CA.

2. Generate server certs with new certificate authority

Generate new server certs with the new CA, and replace the server.pem certificate and server-key.pem certificate private key.

Then update the Kubernetes secret:

kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -

CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.