Merge "Add guide for switching between different types of certificates"
This commit is contained in:
commit
b9beb8882d
|
@ -153,6 +153,14 @@ command syntax is dependent upon the CA. Note the inclusion of the input file
|
||||||
-notext -md sha256 -in ~/csr_file -out ~/vault-charm-int.pem -batch \
|
-notext -md sha256 -in ~/csr_file -out ~/vault-charm-int.pem -batch \
|
||||||
-passin pass:secretpassword
|
-passin pass:secretpassword
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Depending on the services deployed on your cloud, the intermediate CA
|
||||||
|
may need to issue both client and server certificates. Therefore, it is
|
||||||
|
necessary to check the property of your external CA and grant the
|
||||||
|
intermediate CA the proper level of authorization to issue both types
|
||||||
|
of certificates.
|
||||||
|
|
||||||
The certificate is normally provided in PEM format, like the output file
|
The certificate is normally provided in PEM format, like the output file
|
||||||
``~/vault-charm-int.pem`` in the above command. A root CA certificate should
|
``~/vault-charm-int.pem`` in the above command. A root CA certificate should
|
||||||
also be provided and placed in, say, file ``~/root-ca.pem``.
|
also be provided and placed in, say, file ``~/root-ca.pem``.
|
||||||
|
@ -269,6 +277,57 @@ New certificates can be reissued to all TLS-enabled clients by means of the
|
||||||
``reissue-certificates`` action. See cloud operation `Reissue TLS
|
``reissue-certificates`` action. See cloud operation `Reissue TLS
|
||||||
certificates across the cloud`_ in the Admin Guide for details.
|
certificates across the cloud`_ in the Admin Guide for details.
|
||||||
|
|
||||||
|
Switching between different types of CA certificates
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
It is possible to switch between a self-signed root CA certificate
|
||||||
|
and a third-party intermediate CA certificate after deployment.
|
||||||
|
|
||||||
|
.. Important::
|
||||||
|
|
||||||
|
Switching certificates will cause a short period of downtime for services
|
||||||
|
using Vault as the certificate manager. Notebly, a TLS-enabled Keystone will
|
||||||
|
temporarily move to the ``maintainance`` state to update its endpoints.
|
||||||
|
|
||||||
|
From self-signed root certificate to third-party intermediate certificate
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
To switch from a self-signed root CA certificate to a third-party intermediate
|
||||||
|
CA certificate, you need to first disable the PKI secrets
|
||||||
|
backend:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
juju run-action --wait vault/leader disable-pki
|
||||||
|
|
||||||
|
This step deletes the exisitng root certificate and invalidates any previous csr
|
||||||
|
requests.
|
||||||
|
|
||||||
|
Next, follow the steps described in the
|
||||||
|
`Third-party intermediate CA certificate`_ section above to retrieve a CSR
|
||||||
|
from the Vault and have it signed by the external CA.
|
||||||
|
|
||||||
|
|
||||||
|
Finally, upload both the signed intermediate certificate and the external root
|
||||||
|
CA certificate to Vault:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
juju run-action --wait vault/leader upload-signed-csr \
|
||||||
|
pem=“$(cat /path/to/vault-charm-int.pem | base64)" \
|
||||||
|
root-ca="$(cat /path/to/root-ca.pem | base64)"
|
||||||
|
|
||||||
|
From third-party intermediate certificate to self-signed root certificate
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
To switch from an external certificate to a self-signed one first disable the
|
||||||
|
PKI secrets backend and then generate a root CA certificate:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
juju run-action --wait vault/leader disable-pki
|
||||||
|
juju run-action --wait vault/leader generate-root-ca
|
||||||
|
|
||||||
.. LINKS
|
.. LINKS
|
||||||
.. _RFC5280: https://tools.ietf.org/html/rfc5280#section-3.2
|
.. _RFC5280: https://tools.ietf.org/html/rfc5280#section-3.2
|
||||||
.. _RFC7468: https://tools.ietf.org/html/rfc7468#section-5
|
.. _RFC7468: https://tools.ietf.org/html/rfc7468#section-5
|
||||||
|
|
Loading…
Reference in New Issue