PingAccess

Rotating a CA

Rotate the certificate authority (CA) used by an agent while minimizing the impact to agent communications.

  1. On the agent web server, update the agent.properties file to add the new CA certificate.

    1. Concatenate the old and new CA certificates in PEM encoding format into a new file.

    2. Encode the contents of the file to Base64.

    3. Open the agent.properties file and set the value of the agent.engine.configuration.bootstrap.truststore line to the encoded content.

      Example:

      agent.engine.configuration.bootstrap.truststore=Encoded_content

  2. Restart the agent web server.

  3. Update the PingAccess configuration to use a new server certificate signed by the new CA for the agent HTTPS listener.

    1. Identify a key pair to use. If necessary, create a new key pair.

      Learn more in Generating new key pairs.

    2. Generate a CSR for that key pair.

      Learn more in Generating certificate signing requests.

    3. Submit that CSR to the new CA to get a new signed certificate.

    4. Import the CSR response (the new certificate) into PingAccess.

      Learn more in Importing certificates.

    5. Assign the key pair to the agent HTTPS listener.

    Learn more in Assigning key pairs to HTTPS listeners.