Best practices: Certificate Rotation

jmeirow · March 29, 2021, 3:22pm

Has anyone established a pattern or best practice for updating devices with new CA-signed certs? I am asking specifically about self-hosted version of Mender server.

For instance, if an organization receives their new CA-signed cert, do they append them to the current server.crt and send out the new server.crt to all devices? And then when it is certain that all devices have the new server.crt (with both the old and new CA-signed cert chains), they can install the new certificate on the server without the devices losing connectivity?

Is there a better way than this?

drewmoseley · March 29, 2021, 4:04pm

Hi @jmeirow that’s definitely been my understanding of how to rotate certificates. I would love to hear if others are doing anything substantially different.

Drew

dellgreen · March 29, 2021, 4:25pm

We are our own certificate authority, and have our CA public certificate on the device so that all server certificates we sign with our CA private key are trusted by the devices so we can rotate server certificates freely.

Topic		Replies	Views
Client complains server's cert signed by unknown authority General Discussions ssl	7	563	July 5, 2022
SSL Certs workflow - self signed to CA General Discussions	5	1807	June 9, 2020
Secure mender-open source or on prim server General Discussions	19	636	August 1, 2020
Elaboration on the nature of server.crt General Discussions	3	413	December 15, 2020
Certificate issue when upgrading server from 2.6 to 3.2.1 General Discussions	8	581	May 4, 2022

Best practices: Certificate Rotation

Related topics