Rotating a CA
Rotate the certificate authority (CA) used by an agent while minimizing the impact to agent communications.
Steps
-
On the agent web server, update the
agent.properties
file to add the new CA certificate.-
Concatenate the old and new CA certificates in PEM encoding format into a new file.
-
Encode the contents of the file to Base64.
-
Open the
agent.properties
file and set the value of theagent.engine.configuration.bootstrap.truststore
line to the encoded content.Example:
agent.engine.configuration.bootstrap.truststore=<Encoded_content>
-
-
Restart the agent web server.
-
Update the PingAccess configuration to use a new server certificate signed by the new CA for the agent HTTPS listener.
-
Identify a key pair to use. If necessary, create a new key pair.
Learn more in Generating new key pairs.
-
Generate a CSR for that key pair.
Learn more in Generating certificate signing requests.
-
Submit that CSR to the new CA to get a new signed certificate.
-
Import the CSR response (the new certificate) into PingAccess.
Learn more in Importing certificates.
-
Assign the key pair to the agent HTTPS listener.
Learn more in Assigning key pairs to HTTPS listeners.
-