When to rotate certificates
You may need to rotate the node, client, or CA certificates in the following scenarios:- The node, client, or CA certificates are expiring soon.
- Your organization’s compliance policy requires periodical certificate rotation.
- The key (for a node, client, or CA) is compromised.
- You need to modify the contents of a certificate, for example, to add another DNS name or the IP address of a load balancer through which a node can be reached. In this case, you would need to rotate only the node certificates.
Rotate client certificates
-
Create a new client certificate and key:
- Upload the new client certificate and key to the client using your preferred method.
- Have the client use the new client certificate. This step is application-specific and may require restarting the client.
Rotate node certificates
To rotate a node certificate, you create a new node certificate and key and reload them on the node.-
Create a new node certificate and key:
Since you must create the new certificate and key in the same directory as the existing certificate and key, use the
--overwriteflag to overwrite the existing files. Also, be sure to specify all addresses at which node can be reached. -
Upload the node certificate and key to the node:
-
Reload the node certificate without restarting the node by issuing a
SIGHUPsignal to thecockroachprocess:TheSIGHUPsignal must be sent by the same user running the process or by a user with adequate privileges to send signals to processes owned by another user, such as a user withsudoaccess. -
Verify that certificate rotation was successful using the Local Node Certificates page in the DB Console:
https://<address of node with new certs:8080/#/reports/certificates/local. Scroll to the node certificate details and confirm that the Valid Until field shows the new certificate expiration time.
Rotate the CA certificate
To rotate the CA certificate, you create a new CA key and a combined CA certificate that contains the new CA certificate followed by the old CA certificate, and then you reload the new combined CA certificate on the nodes and clients. Once all nodes and clients have the combined CA certificate, you then create new node and client certificates signed with the new CA certificate and reload those certificates on the nodes and clients as well. For more background, see and .-
Rename the existing CA key:
-
Create a new CA certificate and key, using the
--overwriteflag to overwrite the old CA certificate:This results in the ,ca.crt, which contains the new certificate followed by the old certificate.
The CA key is never loaded automatically by
cockroach commands, so it should be created in a separate directory, identified by the --ca-key flag.-
Upload the new CA certificate to each node:
- Upload the new CA certificate to each client using your preferred method.
-
On each node, reload the CA certificate without restarting the node by issuing a
SIGHUPsignal to thecockroachprocess:TheSIGHUPsignal must be sent by the same user running the process (e.g., run withsudoif thecockroachprocess is running under userroot). - Reload the CA certificate on each client. This step is application-specific and may require restarting the client.
-
Verify that certificate rotation was successful using the Local Node Certificates page in the DB Console:
https://<address of node with new certs:8080/#/reports/certificates/local. The details of the old as well as new CA certificates should be shown. Confirm that the Valid Until field of the new CA certificate shows the new certificate expiration time. - Once you are confident that all nodes and clients have the new CA certificate, rotate the node certificates and rotate the client certificates.

