Rotate the Certificate Authority

You can use the Sensor Proxy command line interface to rotate your certificate authority (CA) or service certificates without disrupting agent connections. This ensures your agents maintain seamless communication with Sensor Proxy during security updates.

For more information about CA rotation, see Certificate Authority Rotation.

To rotate the CA or server certificates:

  1. Generate or install the new certificates:

    • To generate a new server certificate without regenerating the CA, run:

      /opt/sensor_proxy/sbin/configure -nextCert

    • To generate both the new self-signed CA and server certificates, run:

      /opt/sensor_proxy/sbin/configure -nextCert -appendCA

    • To install custom certificates, run:

      /opt/sensor_proxy/sbin/configure -installCert -ca <path/to/custom_ca_certificate> -publicKey <path/to/custom_server_certificate_public> -privateKey <path/to/custom_server_certificate_private>

  2. Restart Sensor Proxy to begin distributing the new CA to connected agents Run the following command:

    sudo systemctl restart sensorproxy

  3. Monitor the CA rotation status to verify agents receive the new CA by running:

    /opt/sensor_proxy/sbin/configure -agent-ca-report

    • (Optional) To export details of all agents, use the -export-all-agents flag. By default, this flag exports data in JSON format.

    • (Optional) To export details of agents that have not yet migrated, use the -export-agents-not-migrated flag. flag. By default, this flag exports data in JSON format.

      Note: You can use the -export-all-agents and -export-agents-not-migrated flags with or without the -agent-ca-report flag.

    • (Optional) If you set the -export-all-agents or -export-agents-not-migrated flag, you can append -force-pull-agentdata to force an immediate data pull from Tenable Vulnerability Management instead of waiting for the standard 12-hour interval.

    • (Optional) If you set the -export-all-agents or -export-agents-not-migrated flag, you can append -csv to export the report data to a CSV file instead of the default JSON format.

  4. Review the output to verify that your active agents have updated to the latest CA. Based on your active agent status, decide whether you are ready to proceed with the certificate rotation.

    Caution: Do not rotate and apply the new server certificates until the CA report confirms 100% of your agents have the updated CA. After rotation, any agents that have not updated to the latest CA might fail to connect.

  5. Apply the new server certificates and automatically back up the old ones by running:

    /opt/sensor_proxy/sbin/configure -rotateCert

  6. Restart Sensor Proxy to finalize the rotation and use the newly applied certificates.