Best practices: Certificate Rotation

Has anyone established a pattern or best practice for updating devices with new CA-signed certs? I am asking specifically about self-hosted version of Mender server.

For instance, if an organization receives their new CA-signed cert, do they append them to the current server.crt and send out the new server.crt to all devices? And then when it is certain that all devices have the new server.crt (with both the old and new CA-signed cert chains), they can install the new certificate on the server without the devices losing connectivity?

Is there a better way than this?

Hi @jmeirow that’s definitely been my understanding of how to rotate certificates. I would love to hear if others are doing anything substantially different.


We are our own certificate authority, and have our CA public certificate on the device so that all server certificates we sign with our CA private key are trusted by the devices so we can rotate server certificates freely.