Here you will find information about manually rotating the Spring Cloud Services certificates stored in the Tanzu Platform for Cloud Foundry runtime CredHub.

Preparing to rotate certificates

The following procedure uses the jq command-line JSON processing tool.

1. To rotate the certificates, you must authenticate with the BOSH Director VM.

   After you have authenticated, locate the Spring Cloud Services BOSH deployment:

   $ bosh deployments
   

   The Spring Cloud Services deployment is named p_spring-cloud-services-[UNIQUE-ID]. You can now search for the certificates used for this deployment.

2. Use the CredHub CLI to list the Certificate Authority (CA) certificates:

   $ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[] \
   | select((.name | contains("p_spring-cloud-services-b97ed088d2495d6813a9")) and \
   .versions[0].certificate_authority == true) | .name'
   
   "/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
   "/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_galera_ca"
   

3. Locate the intermediate (or leaf) certificates, which are signed by the CA certificates:

   $ credhub curl -p "/api/v1/certificates" -X GET | jq '.certificates[] | \
   select((.name | contains("p_spring-cloud-services-b97ed088d2495d6813a9")) and \
   .versions[0].certificate_authority == false) | .name'
   
   "/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_mysql_server_certificate"
   "/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_galera_server_certificate"
   

   After rotating a CA certificate, you must regenerate the intermediate certificates signed by that CA certificate.

Rotating certificates

Perform the following procedure for each of the Spring Cloud Services deployment’s two CA certificates.

1. Look up the CA certificate:

   $ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
   

   You should see only one entry in the versions list. Copy the id of this version.

2. Using the id copied in the previous step, generate a new transitional certificate version:

   $ credhub curl -p "/api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/regenerate" -d '{"set_as_transitional": true}' -X POST
   

3. Go to the Operations Manager Installation Dashboard and apply your changes.

4. Look up the CA certificate again:

   $ credhub curl -p "/api/v1/certificates?name=/p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_server_ca"
   

   The new certificate version currently has “transitional”: true, and the old version has “transitional”: false. Copy the id of the old version and use it to update the CA certificate, making the old version transitional:

   $ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": "834a4d40-d925-49f1-aced-a4362819d173"}' -X PUT
   

5. Regenerate the intermediate certificates that are signed by this CA certificate:

   $ credhub regenerate -n /p-bosh/p_spring-cloud-services-b97ed088d2495d6813a9/pxc_mysql_server_certificate
   

6. Return to the Operations Manager Installation Dashboard and apply your changes.

7. Remove the old version of the certificate, leaving only the new version, which is no longer transitional:

   $ credhub curl -p /api/v1/certificates/be51e4a2-6b4a-47ea-a5e8-58034b0742ba/update_transitional_version -d '{"version": null}' -X PUT
   

8. Return to the Operations Manager Installation Dashboard, apply your changes.

If applications fail to connect after rotation, it is recommended that you restart the affected service instances to resolve the issue.