Apigee mTLS Maintenance

This page describes Apigee mTLS maintenance tasks that need to be performed regularly.

Rotating local certificates

Local certificates, which are installed on each Apigee host, need to be replaced with new ones annually. This is called certificate rotation. There are two ways to rotate certificates, depending on whether you are using a custom certificate authority, or a certificate installed by Consul.

Rotating local certificates without a custom certificate authority (CA)

The simplest way to rotate certificates without a custom CA is to uninstall and re-install apigee-mtls. This removes all old certificates present, and generates fresh certificates locally. You can do this with minimal downtime by performing the following commands on each host, one at a time:

Note: This assumes the same silent.conf file that was used for the initial installation is present.

  1. Stop all core Apigee components:
    /opt/apigee/apigee-service/bin/apigee-all stop
    See Start/stop/check all components.
  2. Stop apigee-mtls:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls stop
  3. Uninstall apigee-mtls:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls uninstall
  4. Reinstall apigee-mtls:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls install
  5. Run apigee-mtls setup:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls setup -f /opt/silent.conf
  6. Restart apigee-mtls:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls start
  7. Restart all core Apigee components:
    /opt/apigee/apigee-service/bin/apigee-all start
    See Start/stop/check all components.

Rotating local certificates with a custom certificate authority (CA)

To rotate local certificates with a custom CA, do the following steps:

  1. Follow the steps in Use a custom certificate to generate the new certificates you'll be using.
  2. Stop all core Apigee components:
    /opt/apigee/apigee-service/bin/apigee-all stop
    See Start/stop/check all components.
  3. Stop apigee-mtls:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls stop
  4. Remove the old local cert files:
    rm -f /opt/apigee/apigee-mtls/certs/local_cert.pem
    rm -f /opt/apigee/apigee-mtls/certs/local_key.pem
    rm -f /opt/apigee/apigee-mtls/source/certs/local_cert.pem
    rm -f /opt/apigee/apigee-mtls/source/certs/local_key.pem
    rm -rf /opt/apigee/data/apigee-mtls
  5. Copy the new cert/key pair generated in the first step into the following locations, and update permissions:
    cp ${new_cert} /opt/apigee/apigee-mtls/certs/local_cert.pem
    
    chmod \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/certs/local_cert.pem
    
    chown \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/certs/local_cert.pem
    
    cp ${new_cert} /opt/apigee/apigee-mtls/source/certs/local_cert.pem
    
    chmod \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/source/certs/local_cert.pem
    
    chown \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/source/certs/local_cert.pem
    
    cp ${new_key} /opt/apigee/apigee-mtls/certs/local_key.pem
    
    chmod \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/source/certs/local_cert.pem
    
    chown \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/source/certs/local_cert.pem
    
    cp ${new_key} /opt/apigee/apigee-mtls/source/certs/local_key.pem
    
    chmod \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/source/certs/local_cert.pem
    
    chown \
      --reference=/opt/apigee/apigee-mtls/certs/ca_cert.pem \
      /opt/apigee/apigee-mtls/source/certs/local_cert.pem
  6. Restart apigee-mtls:
    /opt/apigee/apigee-service/bin/apigee-service apigee-mtls start
  7. Restart all core Apigee components:
    /opt/apigee/apigee-service/bin/apigee-all start
    See Start/stop/check all components.