Hello everyone,
I have a doubt related to certificates rotation, specifically to the root CA rotation. I’ve read the documentation on transport encryption
The doc states the following:
-
If a cert-manager is used, it should take care of updating the certificates. … This allows to reissue TLS certificates automatically on schedule and without downtime.
-
If you don’t use cert-manager and have created certificates manually, you can follow the next steps to perform a no-downtime update of these certificates if they are still valid. (followed by the steps)
Now, the steps suggested to rotate the certificates manually suggest to combine the old CA with a newly generated one, so that when the servers restart, they trust both new and old certificates since they have combined CAs bundled together, which totally makes sense.
But, if using Cert Manager, how does it work? Cert Manager will not bundle the old and new CAs in a combined way. It will directly replace the old secret with the new CA. The old will be gone.
What happens after the CA is rotated, forcing rotation of the certificates generated from it? How does the operator and PXC ndoes handle such a situation? When one of PXC node will be restarted, the CA of that node will be different from the others I think.
Or will the operator somehow perform some operations to avoid this situation?