TLS certificate rotation
One of the original dreams for Replicante Core was to have a WebUI button/automation
around TLS certificates:
- Check certificate validity dates (for all certificates in the chain)
- Integrate with some certificate manager solution like lemur
- Provide an action and playbook to replace certificates on all nodes
- Consider that CAs may needs to be replaced as well as leaf certs:
- Install two CA certificates (old and new) as the trusted CAs for nodes
- Rolling deploy leaf certificates built from the new CA to all nodes
- Replace the two CA certificates with only the new one
- CAs add complexity because there are multiple levels and not all are always managed by the
same organisation and/or department.