v2.23 Preview Preview release - not for production v2024.1 STS Stable release with standard-term support v2.20 LTS Stable release with long-term support v2.18 STS Stable release with standard-term support v2.14 LTS Stable release with long-term support Unsupported versions

Rotate certificates

Rotate certificates used by a universe

You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates.

Before rotating certificates, ensure that you have added the certificates to YugabyteDB Anywhere. Refer to Add certificates.

Rotating the CA certificate on the source universe with xCluster Replication causes replication to pause. You should restart replication after completing the CA certificate rotation on the source universe.

Client-to-node certificates

Regardless of whether the client-to-node certificates are expired or not expired, you can always trigger a rolling upgrade to rotate the certificates.

  • If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime.
  • If the universe was created after v2.16.6, then the rotation can be done without a restart and no downtime.

Node-to-node certificates

If the certificate has expired, the rotation requires a simultaneous restart of all nodes, resulting in some downtime.

If the certificate has not expired, the rotation can be done using a rolling upgrade.

  • If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime.
  • If the universe is created after v2.16.6, then the rotation can be done without a restart and no downtime.

You can always opt to not perform rolling updates to update all nodes at the same time, but this will result in downtime.

Rotate certificates

To modify encryption in transit settings and rotate certificates for a universe, do the following:

  1. Navigate to your universe.

  2. Click Actions > Edit Security > Encryption in-Transit to open the Manage encryption in transit dialog.

    Rotate certificates

  3. To rotate the CA certificate, on the Certificate Authority tab, select the new CA certificate(s).

    If you wish to have YBA generate a new self-signed CA certificate automatically, delete the root certificate field.

  4. To rotate the server certificates, on the Server Certificate tab, select the Rotate Node-to-Node Server Certificate and Rotate Client-to-Node Server Certificate options as appropriate.

  5. Select the Use rolling upgrade to apply this change option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades.

  6. Click Apply.