consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Fix #20594 : Feature - 'consul tls cert renew' command

Open vijayraghav-io opened this issue 1 year ago • 5 comments

Description

Add new cli cmd to be able to renew existing TLS Server Certificate - consul tls cert renew

fixes #20594

The approach used to renew existing TLS certificate -

  1. New Public Key (cert file) is created with same (existing) input private key.
  2. The same CA used to generate initial cert is used to sign. CA file path to be input.

Testing & Reproduction steps

  1. Create CA with cmd consul tls ca create
  2. Create Cert with cmd consul tls cert create -server
  3. Renew Certificate created in step 2 with same private key created in step 2 - with new cmd - consul tls cert renew -server -existingkey=<key file created in step2>
  4. Replace cert file created in step 2 with new (renewed) cert file created in step3.
  5. This will avert having to distribute a new trust chain to all clients and avoid a service disruption to clients.

Links

PR Checklist

  • [x] updated test coverage
  • [ ] external facing docs updated
  • [ ] appropriate backport labels added
  • [ ] not a security concern

vijayraghav-io avatar Feb 13 '24 12:02 vijayraghav-io

Hi @david-yu, Kindly review this PR.

vijayraghav-io avatar Feb 14 '24 15:02 vijayraghav-io

Did one more round of self review, thought of adding an improvement - Ideally for cert renew command the args like domain, dc, server/client/cli,.. should not be required to be input. These should be read from existing certificate. So added arg -existingcert and removed redundant args. The updated arg list is - -existingcert -existingkey -ca -key -days -dnsnames -ipaddresses

-existingcert and -existingkey are mandatory. Paths to existing cert.pem and key.pem files that have to be renewed. -ca and -key -> Paths to CA cert and key files -days defaults to 365 -dnsnames and -ipaddresses -> These are also read from existing cert, the additional dnsnames and ipaddresses if any can be added here while renewing.

@reskin89

vijayraghav-io avatar Feb 15 '24 13:02 vijayraghav-io

This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.

github-actions[bot] avatar Apr 16 '24 01:04 github-actions[bot]

Reminding to review this PR

vijayraghav-io avatar Apr 25 '24 06:04 vijayraghav-io