What is the extent of certificate renewal?

Does openziti renew every certificate so that I don't ever have to think about it again?

I think the last cert that needs to have automatic rotation enabled is the controller's server certificate. There are plans to automate this process but I'm unsure when it will be enabled. One alternative is to generate the server cert and allow it to last for a long time. By default, OpenZiti will create a server certificate that is valid for ~one year. You could choose to make that 10 or 20 if you like.

If you used a docker container to deploy the controller (from the deployments section of the doc), it's currently configured to renew the cert on restart in an effort to make the renewal a tad easier on the network operator.

If that's the only thing that should be updated manually, then I can do it manually by scheduling it on my task management system.

There seems to be a distinction between controller cert and controller server cert. What is the difference?

Are you referring to the identity block at the top of a config file? Looking something like this?

identity:
  cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-client.chain.pem"
  server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.chain.pem"
  key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-intermediate/keys/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.key"
  ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/cas.pem"
  alt_server_certs:
    - server_cert:  "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/fullchain.pem"
      server_key:   "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/privkey.pem"

If that's what you're referring to, then the cert entry represents the cert the OpenZiti component (I say component, because routers will also have this identity block) will use when initiating a connection to another piece of the OpenZiti overlay. If you only have one controller, this entry will never* be used (* i mean never say 'never' right?) because the controller doesn't connect to anything, everything connects to it, so the cert field would be unused.

If that's not what you mean, I generally try to clarify the differences. So if I slipped up and said just "controller cert" somewhwere, that's just me being lazy/forgetful.

hth

1 Like

Yes. Why do you need two different certs for incoming connections and outgoing connections?

Does the documentation say which certs are automatically renewed?

Technically, you don't. You can certainly set them to the same cert if you want. I don't believe the doc has any mention of which certs are renewed automatically but it should. We are planning an overhaul of the doc in the coming months, I'll add a task for that as well since it's a vital component of the overlay.

In the meantime, the algolia-provided search is pretty useful if the search term used matches our doc. I only mention it because it's easy for people to miss but it's really useful (lots of people don't see the search box up on the top right). I did a quick scan for 'renew' to see if the search would find any related doc and this is already out there. It's in a section that's more reactionary, than informational, but that's what we have, hopefully it's helpful. I'll add a task to add a bit more about cert lifecycles...

EDIT:

1 Like

So, does this mean that if I have only one controller, I need to renew only these on controller?

web:
  - name: client-management
    bindPoints:
      - interface: 0.0.0.0:443
        address: oz1.xxxxxx.com:443
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"

Do have any script to renew those?

Hi @timnis, the link above shows you how to renew them. Yes, if you only have one controller you only *need to renew the server_sert. However, I'd do them both just in case. It's only a couple of commands. I do recommend - back up the PKI and controller configurations etc before modifying something...

If you are using a docker 'deployment' (ie, not a quickstart) you just need to restart the docker container. It's currently set to renew certs on restart of the process regardless.

1 Like

Thanks @TheLumberjack.

Maybe I need to change my controller to docker 'deployment' :thinking:

And no need change certificates to routers :+1:

Certificate authority is rotated automatically by controller?

CAs are never rotated automatically. For a production-style (long-term) deployment, you'll likely have a single Root CA/key somewhere offline that will need to generate a new CA. Since it'll be offline, there's no way for the controller to do that automatically.

1 Like

Can the controller actually rotate its own root CA?

Can controller server certificate be renewed automatically?

no

not at this time, no

1 Like

If I rotate CA or controller server certificate manually, do other certificates have to be rotated manually, too?

I don't believe so. Routers will update their server certificate on their own and I believe our tunnelers all are able to rotate a cert as needed now.

1 Like