This page describes Apigee mTLS maintenance tasks that need to be performed regularly.
Rotating local certificates
Local certificates, which are installed on each Apigee host, need to be replaced with new ones annually. This is called certificate rotation. There are two ways to rotate certificates, depending on whether you are using a custom certificate authority, or a certificate installed by Consul.
Rotating local certificates without a custom certificate authority (CA)
The simplest way to rotate certificates without a custom CA is to
uninstall and
re-install apigee-mtls.
This removes all old certificates present, and generates fresh certificates locally.
You can do this with minimal downtime by performing the following commands on each host,
one at a time:
Note: This assumes the same silent.conf file that was used for the
initial installation is present.
- Stop all core Apigee components:
/opt/apigee/apigee-service/bin/apigee-all stop
- Stop
apigee-mtls:/opt/apigee/apigee-service/bin/apigee-service apigee-mtls stop
- Uninstall
apigee-mtls:/opt/apigee/apigee-service/bin/apigee-service apigee-mtls uninstall
- Reinstall
apigee-mtls:/opt/apigee/apigee-service/bin/apigee-service apigee-mtls install
- Run
apigee-mtls setup:/opt/apigee/apigee-service/bin/apigee-service apigee-mtls setup -f /opt/silent.conf
- Restart
apigee-mtls:/opt/apigee/apigee-service/bin/apigee-service apigee-mtls start
- Restart all core Apigee components:
/opt/apigee/apigee-service/bin/apigee-all start
Rotating local certificates with a custom certificate authority (CA)
To rotate local certificates with a custom CA, do the following steps:
- Follow the steps in Use a custom certificate to generate the new certificates you'll be using.
- Stop all core Apigee components:
/opt/apigee/apigee-service/bin/apigee-all stop
- Stop
apigee-mtls:/opt/apigee/apigee-service/bin/apigee-service apigee-mtls stop
- Remove the old local cert files:
rm -f /opt/apigee/apigee-mtls/certs/local_cert.pem
rm -f /opt/apigee/apigee-mtls/certs/local_key.pemrm -f /opt/apigee/apigee-mtls/source/certs/local_cert.pemrm -f /opt/apigee/apigee-mtls/source/certs/local_key.pemrm -rf /opt/apigee/data/apigee-mtls - Copy the new cert/key pair generated in the first step into the following locations, and
update permissions:
cp ${new_cert} /opt/apigee/apigee-mtls/certs/local_cert.pemchmod \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/certs/local_cert.pemchown \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/certs/local_cert.pemcp ${new_cert} /opt/apigee/apigee-mtls/source/certs/local_cert.pemchmod \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/source/certs/local_cert.pemchown \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/source/certs/local_cert.pemcp ${new_key} /opt/apigee/apigee-mtls/certs/local_key.pemchmod \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/source/certs/local_cert.pemchown \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/source/certs/local_cert.pemcp ${new_key} /opt/apigee/apigee-mtls/source/certs/local_key.pemchmod \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/source/certs/local_cert.pemchown \ --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \ /opt/apigee/apigee-mtls/source/certs/local_cert.pem - Restart
apigee-mtls:/opt/apigee/apigee-service/bin/apigee-service apigee-mtls start
- Restart all core Apigee components:
/opt/apigee/apigee-service/bin/apigee-all start