Page MenuHomePhabricator

Renew RESTBase self-signed root certificate authority
Closed, ResolvedPublic


The root CA will need to be renewed/replaced by no later than September 18, when it expires.

See also: T120662: Track/alert cassandra certs expiration

NOTE: During the ops-services-syncup meeting today (2016-08-18), @faidon suggested that the root CA be replaced by one with a 5 year expiration.

Event Timeline

Eevans updated the task description. (Show Details)
Eevans moved this task from Backlog to Next on the Cassandra board.
Eevans triaged this task as Medium priority.Aug 18 2016, 2:01 PM
Eevans added a subscriber: faidon.

the procedure to rollover / extend expiration is outlined at

we can change cassandra-ca-manager to issue CA certs with default expiration of 5yr and issue a new CA cert

The proposed solution to monitoring certificate expiration (, acts remotely using the encrypted inter-node messaging port (7001), and so is testing the server certificate only. This still leaves open the question of monitoring the root CA for expiration.

It has already been suggested that we increase the root CA expiration from 1 year to 5. I wonder, is there much of a difference, security-wise, between 5 years and say 50 (where 50 years is arbitrary, something that for this purpose seems indefinite)? Should we just make the expiration long enough that we'll never have to worry about it expiring?

@faidon, @MoritzMuehlenhoff, @dpatrick ?

We can check that with existing "check_ssl_certfile" or a slight variation of it.

"via NRPE. It runs "openssl x509 -checkend 324000 -noout -in $1 on the cert file. "


This is if we do want it to expire and monitor that.

Mentioned in SAL [2016-09-08T14:36:39Z] <godog> bounce restbase-test2001 cassandra-a instance T143044

Mentioned in SAL [2016-09-08T16:13:07Z] <godog> roll-restart cassandra instances on restbase-test cluster T143044

this is complete with a 50y CA in the restbase test cluster, production cluster to follow monday week

root@cerium:/etc/cassandra-a/tls# keytool -list -keystore server.key 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

cerium-a, Sep 8, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): EA:B9:2C:EB:1E:57:BA:1F:71:84:70:11:12:E6:62:BF:E8:B9:48:AA
mykey, Sep 8, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): B6:97:AF:B9:94:C5:21:A0:C2:FE:82:DC:9B:64:06:AC:16:35:EF:7C

note we'll need to renew some instance certs in codfw as part of this as they are about to expire anyway

Mentioned in SAL [2016-09-12T15:15:57Z] <godog> drain and restart cassandra instances on restbase2001 with new CA - T143044

Mentioned in SAL [2016-09-12T15:41:21Z] <godog> roll-restart cassandra in codfw with new CA and certs T143044

Mentioned in SAL [2016-09-12T17:29:30Z] <godog> roll-restart cassandra in eqiad with new CA and certs T143044

fgiunchedi claimed this task.

Completed, both CAs for restbase production and staging cluster have been renewed and new certs issued.