CA Certificate Rotation of Internal Service

Overview

Aviatrix gateways receive X.509 certificate identities from an internal Certificate Authority (CA) running on the Controller. This identity is used for securing the control-plane connections between gateway and controller, and certificate-based authentication for Site-to-Cloud (S2C) connections between S2C and on-prem gateways. Rotate this CA when it is approaching expiration or when re-keying is required to maintain a secure gateway identity.

This guide includes workflows of rotating the CA certificate for environments with and without certificate-based authentication for Site-to-Cloud (S2C) connections.

Rotation Options

  • Simple Rotation: This is a standalone CA rotation. This option is for environments without S2C cert-based authentication.

  • Staged Rotation: This is a CA rotation with S2C Cert Authentication. This option is for environments relying on CA-signed S2C certificates.

Perform a Simple Internal Service CA Rotation

Prerequisites

  • Access to Settings > Configuration > Certificate Store

  • No S2C tunnels use certificate authentication

  • Ensure all gateways are up and running before each step

Step 1: Prepare a New CA in Certificate Store

  1. Go to Settings > Configuration > Certificate Store.

  2. Click + Certificate.

  3. Choose Generate Certificate or Upload Certificate. We recommend generating a new certificate.

    • For Generate Certificate (Recommended):

      1. Enter a name for the new CA.

      2. Select a validity period.

    • For Upload Certificate:

      1. Enter a name for the new CA.

      2. Upload the CA Certificate file in PEM format.

      3. Upload the CA Private Key file in PEM format.

  4. Click Add.

Step 2: Prepare the New CA for Internal Service

  1. Go to Networking > Connectivity > Settings.

  2. Click Rotate Certificate.

  3. Select the new CA certificate and click Prepare.

Step 3: Activate the New CA and Remove the Old CA

This step will take some time. Do not close the browser window, navigate to other pages, or refresh the page while this process is running.

  1. From Networking > Connectivity > Settings, locate the newly Prepared CA entry in the listed Certificate table.

  2. Click Activate.

After activation, the new CA becomes active and the previously active CA is deactivated and will be removed automatically.

Perform a Staged Internal Service CA Rotation with S2C Certificate Authentication

Choose this workflow to rotate the Internal Service CA when using certificate-based authentication for Site-to-Cloud (S2C) connections.

Prerequisites

  • The admin should have direct access or an indirect channel to update the trust bundle of on-prem gateways.

Step 1: Prepare a New CA in Certificate Store

  1. Go to Settings > Configuration > Certificate Store.

  2. Click + Certificate.

  3. Choose Generate Certificate or Upload Certificate. We recommend generating a new certificate.

    • For Generate Certificate (Recommended):

      1. Enter a name for the new CA.

      2. Select a validity period.

    • For Upload Certificate:

      1. Enter a name for the new CA.

      2. Upload the CA Certificate file in PEM format.

      3. Upload the CA Private Key file in PEM format.

  4. Click Add.

Step 2: Prepare the New CA for Internal Service

  1. Go to Networking > Connectivity > Settings.

  2. Click Rotate Certificate.

  3. Select the new CA certificate and click Prepare.

Step 3: Install the New Trust Bundle

  1. Click Download Trust Bundle to download the bundle containing both current and new CA certificates.

  2. Install the trust bundle on all on-prem gateways configured for certificate-based authentication connections.

Step 4: Activate the New CA

  1. Locate the Prepared CA.

  2. Click Activate.

Once you activate the new CA, it will be used and the old CA will be removed automatically. For any on-prem gateway that did not install the new trust bundle (from Step 3), new certificate-based authentication S2C tunnels cannot be established with Aviatrix S2C gateways after the activation.

Step 5 (Optional): Install the Pruned Trust Bundle

If the previously active CA is considered compromised, you must complete this step to keep S2C connections secure. Otherwise, you may ignore this step.

  1. Click Download Trust Bundle to download the pruned bundle containing only the newly activated CA certificate.

  2. Install this trust bundle on all on-prem gateways.

  3. Ensure the previously active CA certificate is removed from each on-prem gateway’s trust bundle.

This step is critical for maintaining security. Failure to remove the old CA certificate may allow unauthorized S2C connections.