Certificate key pairs for nodes

EDA uses the gNSI Certz or gNOI certificate management protocols to generate, distribute, and rotate the certificate and key and cert-manager to sign the certificate for nodes.

The bootstrap server uses the following parameters for rotating certificates (these settings cannot be modified in the current release):

  • RotationThreshold: the percentage of remaining certificate validity at which the bootstrap server rotates the certificate. This value is set to 50%.
  • CriticalFailedRotationThreshold: if the certificate rotation fails, this is the percentage of remaining certificate validity at which the bootstrap server generates a critical alarm. This value is set to 70%.
  • BackoffTimer: the backoff duration (set to 60 seconds) to wait between failed rotation attempts.

Nodes that support gNSI Certz

During bootstrap, the initial configuration provided to the node must contain at least two gRPC servers to handle the gNMI and gNSI services:
  • bootstrap server: the gNMI server configured with the network-instance mgmt and port 50052; it uses the default TLS profile (default-tls-profile: true)
  • mgmt server: the gNSI server configured with network-instance mgmt, port 57400; it uses a dummy TLS profile named EDA

Initial certificate key pair generation

The bootstrap server adds the initial certificate key pair to the node using the gNSI protocol. The bootstrap server discovers the node by periodically sending gNMI capabilityRequest messages on port 50052 with the flag skip-verify: true. When the node is discovered, the bootstrap server creates the certificate key pair and rotates the TLS profile called EDA on the node.

Certificate key pair rotation

The bootstrap server rotates the node certificate and key pair when the certificate is about to expire, according to the configured validity time and the rotation threshold.

The bootstrap server monitors the certificate expiry in the TLSProfile CR and trigger its renewal.

Change in node issuer certificate triggers certificate rotation

When the node issuer certificate changes, the bootstrap server checks if the node issuer certificate stored in the certStore (security git repo) is different from the one in the issuer secret. If the certificate is different, the bootstrap server triggers the node certificate rotation regardless of the certificate validity time.

EDA alarms on certificate rotation failure

EDA generates alarms on it detects failure in the rotation of certificates. It generates an initial (Major) alarm when the certificate rotation fails at the rotation threshold and a second (Critical) alarm when it CriticalFailedRotationThreshold.

These alarms should be cleared when the node certificate is successfully rotated. The alarm should specify the node name, the profile name that failed to be rotated.