Introduction
This article covers how to replace the TLS and certificate and key on your Vault cluster without restarting the Vault process and avoiding downtime.
Please bear in mind the examples provided below are illustrative. Paths and network targets should be updated according to your environment.
Procedure
-
Confirm the path of the TLS certificate and key in your Vault configuration:
grep tls /path/to/vault.hcl -
Validate the certificate metadata from the client side:
openssl s_client -connect $SERVER:$PORT < /dev/null | openssl x509 -noout -subject -issuer -dates -serial -
Overwrite the certificate and key files, retaining their names:
cat /path/to/new/tls.pem > /path/to/old/tls.pem cat /path/to/new/tls.key > /path/to/old/tls.key -
Send a HUP signal to the vault process:
pkill -SIGHUP vault -
Validate the new certificate is being used by your Vault listener:
openssl s_client -connect $SERVER:$PORT < /dev/null | openssl x509 -noout -subject -issuer -dates -serial