How Do You Rotate Certificates?

Problem scenario
You have load balancers, web servers, and other HTTP technologies that rely on SSL or TLS certificates. Some certificates will be revoked for security reasons. How do you provision new certificates to update them (because they will expire or you want to harden your environment by refreshing the certs as aged certs are more likely to be compromised than young ones)?

Solution
You may want to plan for having lower capacity than normal and therefore schedule the time to do this in production during an off-peak time.

Possible Solution #1
You could pay an third party company that is a certificate authority for new certs.

Possible Solution #2
Use AWS Certificate Manager
https://aws.amazon.com/certificate-manager/

Possible Solution #3
Use Google-managed SSL certs
https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs

Possible Solution #4
If you use Azure Active Directory, you could try AD certificate based authentication. See this Microsoft posting for more information.

Possible Solution #5
Azure App Service certificates. To use one, see this: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

The benefits that are explained here: https://www.azuretechguy.com/azure-app-service-certificate

Possible Solution #6
Letsencrypt.org

Possible Solution #7
Install openssl and use it. If you need assistance using openssl, see these postings:

Possible Solution #8
If you use IoT and AWS, see this posting as Lambda functions can be readily leveraged to rotate certificates at scale.

Possible Solution #9
Use Cloud Conformity.

Possible Solution #10 (for CloudFront certs)
See this Amazon article.

Possible Solution #11 (for RDS certs)
See this Amazon article.

Possible Solution #12 (for Kubernetes)


To see how to rotate IAM keys, see this posting.

Leave a comment

Your email address will not be published. Required fields are marked *