How To rotate signed certificates

How To rotate signed certificates

Context

TLS certificates on the Aerospike server or client will eventually expire. The process of updating a signed certificate on the server or client is as simple as overwriting the existing certificate file with the new certificate. This procedure should be valid for either standard or mutual authentication. This article assumes that the CA ROOT certificate is not expiring.

Method

Overwrite the files referenced in key-file and cert-file with their respective new files.

Overview of TLS server authentication

In general the server checks that a client certificate passes all the following checks:

  1. The certificate was issued by a trusted CA.
  2. The certificate hasn’t yet expired.
  3. The certificate matches the expected TLS name (if configured through the tls-authenticate-client configuration – when any is configured, the TLS name doesn’t have to match).

When using new certificates in addition to old certificates that haven’t yet expired, the new certificates - just like the old certificates - will pass all of the above.

Example of rotating mutual authentication certificates

Assume the following certificates are present:

ca.crt - CA ROOT cert expiring in 10 years

client1.crt - Client signed certificate

client1.key - Client Key

client2.crt - Newer Client signed certificate

client2.key - Newer Client Key

server.crt - Server signed certificate

server.key - Server Key

server2.crt - Newer Server signed certificate

server2.key - Newer Server Key

Use the following test config:

network {
        service {
                address any
                access-address enp0s9
                port 3000
                tls-port 4333
                tls-name server 
                tls-authenticate-client client1 
        }

tls server {
                cert-file /vagrant/multicerts/server.crt
                ca-file /vagrant/multicerts/ca.crt
                key-file /vagrant/multicerts/server.key
}

tls client1 {
                cert-file /vagrant/multicerts/client1.crt
                ca-file /vagrant/multicerts/ca.crt
                key-file /vagrant/multicerts/client1.key
}

Test original client1 cert from an aql client:

$ aql -h "192.168.7.19:server:4333" --tls-enable --tls-cafile=/vagrant/clientenvcerts/ca.crt --tls-keyfile=/vagrant/clientenvcerts/client1.key --tls-certfile=/vagrant/clientenvcerts/client1.crt 
Seed:         192.168.7.19:server:4333
User:         None
Config File:  /etc/aerospike/astools.conf /root/.aerospike/astools.conf 
Aerospike Query Client
Version 3.19.0
C Client Version 4.5.0
Copyright 2012-2019 Aerospike. All rights reserved.

Rotate the server signed certificates by overwriting the content of the server certs (key-file and cert-file) with server2 files:

# mv server2.key server.key
# mv server2.crt server.crt

Test that the same client1 cert shows no issues after rotation:

$ aql -h "192.168.7.19:server:4333" --tls-enable --tls-cafile=/vagrant/clientenvcerts/ca.crt --tls-keyfile=/vagrant/clientenvcerts/client1.key --tls-certfile=/vagrant/clientenvcerts/client1.crt 
Seed:         192.168.7.19:server:4333
User:         None
Config File:  /etc/aerospike/astools.conf /root/.aerospike/astools.conf 
Aerospike Query Client
Version 3.19.0
C Client Version 4.5.0
Copyright 2012-2019 Aerospike. All rights reserved.

Newer certificate also works as expected on the client:

$ aql -h "192.168.7.19:server:4333" --tls-enable --tls-cafile=/vagrant/clientenvcerts/ca.crt --tls-keyfile=/vagrant/clientenvcerts/client2.key --tls-certfile=/vagrant/clientenvcerts/client2.crt 
Seed:         192.168.7.19:server:4333
User:         None
Config File:  /etc/aerospike/astools.conf /root/.aerospike/astools.conf 
Aerospike Query Client
Version 3.19.0
C Client Version 4.5.0
Copyright 2012-2019 Aerospike. All rights reserved.
aql> 

Update the client1 cert on the Aerospike server side to the newer certificates.

# mv client2.key client1.key 
# mv client2.crt client1.crt

Test old client1 certs while server is using newer certs for client mutual authentication.

$ aql -h "192.168.7.19:server:4333" --tls-enable --tls-cafile=/vagrant/clientenvcerts/ca.crt --tls-keyfile=/vagrant/clientenvcerts/client1.key --tls-certfile=/vagrant/clientenvcerts/client1.crt 
Seed:         192.168.7.19:server:4333
User:         None
Config File:  /etc/aerospike/astools.conf /root/.aerospike/astools.conf 
Aerospike Query Client
Version 3.19.0
C Client Version 4.5.0
Copyright 2012-2019 Aerospike. All rights reserved.

Summary

The above example demonstrates that rotating a certificate is as simple as replacing the files referenced by cert-file and key-file with a newer version.

Notes

  • It is recommended to rotate existing certificates prior to their expiration.

Keywords

TLS ROTATION EXPIRATION MUTUAL AUTHENTICATION

Timestamp

November 2019

© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.