Manage Certificates¶
Rotate user-provided server certificates¶
When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the server certificates by updating the contents of the Kubernetes Secret.
For example, if you’ve used .pem
files to provide certificates, then update
the server.pem
certificate and server-key.pem
certificate private key
and update the Kubernetes secret:
kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -
CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.
Rotate certificate authority¶
When working with user provided certificates that have been provided as Kubernetes secrets, you can rotate the certificate authority used through a two-step process.
In this section, we’ll assume you’ve used .pem
files to provide certificates.
1. Append new certificate authority
Append the new intermediate/root CA to the ca.pem. It will co-exist with the old intermediate/root CA.
file name: ca.pem
content:
-----BEGIN CERTIFICATE-----
<old root CA certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<new root CA certificate>
-----END CERTIFICATE-----
Update the secret:
kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -
CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new root CA for use alongside the old root CA.
2. Generate server certs with new certificate authority
Generate new server certs with the new CA, and replace the server.pem
certificate and server-key.pem
certificate private key.
Then update the Kubernetes secret:
kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -
CFK will watch for the Kubernetes secret changes, will notice that the content has changed, and will then rolling restart the component to configure the new server certificate.