Certificate Authority Rotation

Certificate authority (CA) rotation is a process that allows you to manage and change Sensor Proxy's CA without disrupting existing agent connections. By leveraging specific command line (CLI) flags, you can generate or install new certificates, distribute the updated CA to agents safely, and apply the new server certificates seamlessly.

The CA rotation process occurs in three main stages to ensure continuous connectivity:

  1. New certificates (either self-signed or custom) are generated or installed alongside the existing ones in a designated directory. Sensor Proxy then begins distributing the updated CA to all currently connected agents through its standard workflow. New agents connecting via a link will also automatically receive the updated CA.

  2. Monitor the migration status using a built-in reporting tool to verify that your active agents have successfully received the new CA.

  3. Once you confirm your active agents are updated, you rotate the certificates. This action moves the old certificates to a timestamped backup directory and applies the new server certificates for immediate use.

Rotating your CA is a critical security practice. This feature ensures that you can perform necessary certificate updates without causing agent disconnects or blind spots in your vulnerability management coverage. By allowing agents to receive and trust the new CA before the server certificates are actually swapped, it guarantees a seamless transition and continuous agent communication.

For instructions on how to rotate the CA, see Rotate the Certificate Authority.

Requirements and Considerations

  • You must restart Sensor Proxy after generating or installing new CAs to begin distribution.

  • You must restart Sensor Proxy again after the final certificate rotation for the changes to take effect.

    Caution: Do not rotate and apply the new server certificates until the CA report confirms 100% of your agents have the updated CA. After rotation, any agents that have not updated to the latest CA might fail to connect.

  • If issues arise after a rotation, you can revert to a previous state by restoring your backed-up certificates. To manually restore them, follow these steps:

    1. Copy the backed-up certificate files from the timestamped directory to the active SSL directory. For example:

      sudo cp /usr/local/etc/nginx/ssl/certs-<date>-<time>/* /usr/local/etc/nginx/ssl/

    2. Restart Sensor Proxy to apply the restored certificates by running the following command:

      sudo systemctl restart sensorproxy