Rolling Certificates

Last updated on February 12, 2021.

Last Reviewed and Approved on PENDING REVIEW

Introduction

Certificates can be rolled "replaced" through both PowerShell and the RPS Web UI.

The certificate rolling process is executed through the assignment of the UpdateNodeCertificates TaskMap (which is of TaskMap type CertificatesManagement). This TaskMap contains the instructions, or more specifically the Task Map steps, responsible for correctly publishing the updated certificate configuration. Additionally, it also creates and activates new RPS signed and CA signed certificates, along with publishing Desired State Configuration (DSC), configuring Windows-Remote Management (WinRM) encryption settings, and other RPS certificate roles.

Through PowerShell, the UpdateNodeCertificates TaskMap can be utilized by either making an assignment to a specific TargetItem, or to a TargetGroup. However, in this documentation, we will focus on rolling certificates to all targets (using the dynamic/smart group) under a specified Node. The process of making the assignment between the UpdateNodeCertificates TaskMap and the dynamic group is automated, and subjectively much simpler, through the Web UI.

Dynamic groups are essentially auto-generated TargetGroups, based on a set of filters and conditions. For more detailed documentation on dynamic groups, please reference Creating a Dynamic Group. The dynamic group which we will be primarily concerned with for certificate rolling is of type ManagedCertificate_Targets, and will be named based on the following syntax {Name}-ManagedCertificate (where Name is the name of the Node).

Step-by-step instructions on how to roll certificates, through your method of choice, can be found below.

PowerShell

1. You will need to obtain and store the UpdateNodeCertificates TaskMap.

   $taskMap = Get-RpsTaskMap -Type $Rps.TaskMapTypes.CertificatesManagement -Name $Rps.TaskMapNames.UpdateNodeCertificates
   

   Note

   If you already know the name of the Node for which you would like to roll certificates, you may skip this step.

2. We will be getting the Node by Id, and storing its name.

   $node = Get-RpsNode -Id "1a38129b-b8ac-4523-be79-94cfc929ba4b"
   $nodeName = $node.Name
   

3. Get and store the dynamic group 'TargetGroup' by name, using the following syntax:

   $dynamicGroup = Get-RpsTargetGroup -Name "$nodeName-ManagedCertificate"
   

4. Finally, we will create the TaskMapAssignment between the previously saved TaskMap and dynamic group. This will initiate the certificate rolling process.

   New-RpsTaskAssignment -TaskMap $taskMap -TargetGroup $dynamicGroup -NodeIdToRunOn $node.Id
   

Web UI

1. Through the Web UI, certificate rolling is performed through the Certificate Management web page (accessible via the Distribution drop-down). Please navigate to this page.

Figure 1: Certificate Management page

1. Using the panel on the left-hand side of the screen, search for and then select the Node for which you would like to roll/deploy certificates to.

Figure 2: Selecting Node

1. When you are ready, click on the Deploy button for the selected Node on the Certificate Management page. This will assign the UpdateNodeCertificates TaskMap to the dynamic group, and begin the certificate rolling process.

Figure 3: Confirm Install

1. To check the status of the certificate rolling processes, navigate to the Assignments page by selecting Assignments from the Tasking drop-down on the menu bar.

Figure 4: Checking Rolling Status

1. On the left side of the Assignments page you can filter by Target Group or by Status. You can view the Status of your deployment within the filtered results in the center of the page. If any, you can view applicable messages on the right side of the Assignments page under Message

Figure 5: Checking Rolling Status