From 7aa0128e0ddc7c7ef8369fea6e71e3615e301024 Mon Sep 17 00:00:00 2001 From: Natalia Ivakina Date: Tue, 25 Mar 2025 13:06:19 +0100 Subject: [PATCH] Clarify the difference between copying and overwriting TLS certificates --- modules/ROOT/pages/security/ssl-framework.adoc | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index 733133eda..a6c7dc65b 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -1122,22 +1122,24 @@ The following steps outline the process for certificates rotation. . Enable the dynamic reloading of certificates on all cluster members. It is best to do this when the cluster is deployed as changing this configuration requires a restart: - ++ [source, properties] ---- dbms.security.tls_reload_enabled=true (default is false) ---- . Replace old certificates either by overwriting them on the filesystem or by copying them to a new location. -Then update the required SSL configuration for each effected scope. + -New and old certificates may co-exist on the filesystem, but only one can be referenced in the configuration. -New certificates need to be copied to all cluster members as required. +Keep in mind that if you choose to copy the certificates to a new directory or use different filenames, you must dynamically update the SSL policy settings. +If you are overwriting the certificates in place and not changing anything else, there is no need to dynamically update the SSL policy settings. ++ +New and old certificates may co-exist on the filesystem, but only one can be referenced in the configuration. + +It is required to copy new certificates to all cluster members. -. Make necessary changes to any of the SSL configuration and/or replace certificates for effected scopes. +. Make necessary changes to any of the SSL configuration and/or replace certificates for affected scopes. . Connect to each cluster member in turn with Cypher Shell using a <> and run the reload procedure: - ++ [source] ---- dbms.security.reloadTLS()