forked from joemoore/docs-addon-ipsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcredentials.html.md.erb
119 lines (84 loc) · 5.12 KB
/
credentials.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
---
title: Rotating Active IPsec Certificates
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This topic describes the process Pivotal recommends to increase deployment security by rotating certificates in the IPsec manifest.
## <a id='why'></a>Why You Need to Rotate Credentials
These are common reasons for rotating credentials:
+ Your organizational security policy may specify how often you should apply these changes.
+ Your certificates are going to expire. To find the expiration dates on your certificates, see [Checking Certificate Dates](check-dates.html).
## <a id='procedures'></a> About the Procedures
There are two procedures for certificate rotation described in this topic:
* [Procedure 1](#rotate-cert) describes rotating the following certificates specified in your IPsec manifest:
* The instance certificate and instance private key <br>
This procedure requires updating BOSH. It does not include rotating the certificate authority (CA) certificate.
* [Procedure 2](#rotate-CA) describes rotating your CA certificate in addition to your instance certificate and instance private key. This procedure requires updating BOSH three times.
<p class="note"><strong>Note</strong>: The rolling deploys during these procedures result in minimal deployment downtime.</p>
## <a id="rotate-cert"></a>Procedure 1: Rotate the Instance Certificate and Instance Private Key
Follow the steps below to rotate the instance certificate and instance private key.
1. Generate a new certificate and use your existing IPsec CA certificate to sign the new certificate.
1. Update the instance certificate and the private key fields in your `ipsec-addon.yml` file with new values from the previous step.
1. Update the runtime config by running one of the following commands:
* **For Ops Manager v1.10 or earlier:**
`bosh update runtime-config PATH-TO-SAVE-THE-RUNTIME-CONFIG`
* **For Ops Manager v1.11 or later:**
`bosh2 -e BOSH-ENVIRONMENT update-runtime-config PATH-TO-SAVE-THE-RUNTIME-CONFIG`<br>
<p class="note"><strong>Note</strong>: This step results in a few minutes of app downtime. </p>
1. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.
## <a id="rotate-CA"></a>Procedure 2: Rotate the CA Certificate, the Instance Certificate, and Instance Private Key
Follow these steps to rotate the CA certificate, instance certificate, and instance private key.
1. Generate a new CA certificate.
2. Append the newly generated CA certificate under the existing certificate as a new yaml list element in your `ipsec-addon.yml`.
For example:
<pre>
<strong>ca_certificates</strong>:
\- |
-----BEGIN CERTIFICATE-----
... <strong>\<ORIGINAL ROOT\></strong>
-----END CERTIFICATE-----
\- |
-----BEGIN CERTIFICATE-----
... <strong>\<NEW ROOT\></strong>
-----END CERTIFICATE-----
.
.
.
</pre>
For <strong>v1.8.12</strong> and above: IPsec supports CA certificate chain. <br /><br>
Concatenate the contents of the root and the intermediate certificates as one of the list items in <strong>ca\_certificates</strong> (the root CA is at the top).
<pre>
<strong>ca\_certificates</strong>:
\- |
-----BEGIN CERTIFICATE-----
... <strong>\<ORIGINAL ROOT\></strong>
-----END CERTIFICATE-----
\- |
-----BEGIN CERTIFICATE-----
... <strong>\<NEW ROOT\></strong>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <strong>\<INTERMEDIATE 1 ISSUED BY THE NEW ROOT CERT ABOVE\></strong>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <strong>\<INTERMEDIATE 2 ISSUED BY THE INTERMEDIATE 1 ABOVE
... AND SIGNS THE NEW INSTANCE CERT\></strong>
-----END CERTIFICATE-----
</pre>
<p class="note"><strong>Note</strong>: The root and the intermediate certificates cannot have the same subjectName,
(also called the common name and set with <code>CN=</code>).<br>
Also, the root certificate <b>must</b> be the first certificate of the chain.</p>
1. Update the runtime config by running one of the following commands:
* **For Ops Manager v1.10 or earlier:**
`bosh update runtime-config PATH-TO-SAVE-THE-RUNTIME-CONFIG`
* **For Ops Manager v1.11 or later:**
`bosh2 -e BOSH-ENVIRONMENT update-runtime-config PATH-TO-SAVE-THE-RUNTIME-CONFIG`<br>
<p class="note"><strong>Note</strong>: This step results in a few minutes of app downtime. </p>
1. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.
1. Generate a new certificate and use your new CA certificate to sign the new certificate.
1. Update the instance certificate and the private key fields in the your `ipsec-addon.yml` file with new values from above. </p>
1. Repeat step 3 to update the runtime config.
1. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.
1. Delete the older CA certificate in the `ipsec-addon.yml` file.
1. Repeat step 3 to update the runtime config.
1. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.