v2.25 Preview Preview release - not for production v2024.2 LTS Stable release with long-term support v2024.1 STS Stable release with standard-term support v2.20 LTS Stable release with long-term support v2.18 STS Stable release with standard-term support v2.14 LTS Stable release with long-term support Unsupported versions

Rotate certificates

Rotate certificates used by a universe

YugabyteDB Anywhere will alert you 30 days before the expiry of any certificates. You can view the time to expiry of certificates by navigating to your universe Health tab.

You must rotate (refresh) TLS certificates before they expire to avoid service interruption. This can include the following certificates:

  • Root and server certificates used for node-to-node TLS encryption.

  • Root certificate used for client-to-node TLS encryption.

  • Custom CA certificate.

If you are using automatically generated universe certificates, you must still rotate the certificate; YugabyteDB Anywhere can generate new certificates for you.

If you are using your own certificates, before rotating certificates, ensure that you have added the new certificates to YugabyteDB Anywhere. Refer to Add certificates.

Rotating the CA certificate on the source universe with xCluster Replication causes replication to pause. You should restart replication after completing the CA certificate rotation on the source universe.

Enable or disable encryption in transit

You can enable or disable:

  • encryption in transit for the universe
  • node-to-node encryption in transit
  • client-to-node encryption in transit

This requires a simultaneous restart of all nodes, resulting in some downtime.

To enable or disable encryption in transit:

  1. Navigate to your universe.

  2. Click Actions > More > Edit Security > Encryption in-Transit to open the Manage encryption in transit dialog.

    Enable encryption in transit

  3. Set the Enable encryption in transit for this Universe option.

  4. On the Certificate Authority tab, set the Enable Node to Node Encryption and Enable Client to Node Encryption options.

  5. If you are enabling node-to-node or client-to-node encryption, select the root certificate to use, or leave the Select root certificate field empty to have YugabyteDB Anywhere generate a self-signed certificate.

  6. Click Apply.

YugabyteDB Anywhere restarts the universe.

Rotate certificates

Node-to-node certificates

If your node-to-node root certificate has expired, rotation requires a simultaneous restart of all nodes, resulting in some downtime.

If the certificate has not expired:

  • If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, then the rotation requires a restart, which can be done in a rolling manner with no downtime. You can opt to not perform a rolling update to update all nodes at the same time, but this will result in downtime.
  • If the universe was created using YugabyteDB Anywhere v2.16.6 or later, then the rotation is done without a restart and no downtime.

Client-to-node certificates

If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, then the rotation requires a restart. This can be done in a rolling manner with no downtime, regardless of whether the client-to-node certificates are expired or not expired.

If the universe was created using YugabyteDB Anywhere v2.16.6 or later, then the rotation is done without a restart and no downtime.

If you change your client-to-node root certificate, be sure to update your clients and applications to use the new certificate. Refer to Download the universe certificate.

Rotate server certificates

To rotate server (node) certificates for a universe, do the following:

  1. Navigate to your universe.

  2. Click Actions > More > Edit Security > Encryption in-Transit to open the Manage encryption in transit dialog.

  3. On the Server Certificate tab, select the Rotate Node-to-Node Server Certificate and Rotate Client-to-Node Server Certificate options as appropriate.

  4. Deselect the rolling upgrade option to perform a hot certificate reload with no downtime.

    If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, select the Use rolling upgrade to apply this change option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades.

  5. Click Apply.

Rotate root certificates

To rotate root certificates for a universe, do the following:

  1. Navigate to your universe.

  2. Click Actions > More > Edit Security > Encryption in-Transit to open the Manage encryption in transit dialog.

  3. On the Certificate Authority tab, select the new root certificate(s).

    If your certificate is not listed, ensure you have added the certificate to YugabyteDB Anywhere.

    To have YugabyteDB Anywhere generate a new self-signed CA certificate automatically, clear the root certificate field.

    Note that when you rotate the root certificate, the server certificates are automatically rotated.

  4. Deselect the rolling upgrade option to perform a hot certificate reload with no downtime.

    If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, select the Use rolling upgrade to apply this change option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades.

  5. Click Apply.