Best practices: Certificate Rotation

jmeirow · March 29, 2021, 3:22pm

Has anyone established a pattern or best practice for updating devices with new CA-signed certs? I am asking specifically about self-hosted version of Mender server.

For instance, if an organization receives their new CA-signed cert, do they append them to the current server.crt and send out the new server.crt to all devices? And then when it is certain that all devices have the new server.crt (with both the old and new CA-signed cert chains), they can install the new certificate on the server without the devices losing connectivity?

Is there a better way than this?

drewmoseley · March 29, 2021, 4:04pm

Hi @jmeirow that’s definitely been my understanding of how to rotate certificates. I would love to hear if others are doing anything substantially different.

Drew

dellgreen · March 29, 2021, 4:25pm

We are our own certificate authority, and have our CA public certificate on the device so that all server certificates we sign with our CA private key are trusted by the devices so we can rotate server certificates freely.

Topic		Replies	Views
Does a device log failed attempts to add itself to Pending Devices? General Discussions	26	926	February 19, 2021
Preauthorizing devices based on root certificate? General Discussions	8	550	January 4, 2021
Verify device auth in custom server General Discussions	0	477	April 24, 2020
Migrating a device from one Mender server to another General Discussions yocto , nxp	4	2045	April 2, 2019
Identification for update General Discussions	10	498	September 12, 2019

Best practices: Certificate Rotation

Related Topics