Documentation for TLS certificate rotation feature #2165
Conversation
|
This PR includes documentation updates Updated pages: |
| @@ -1108,6 +1108,44 @@ Beware that the SSL debug option logs a new statement every time a client connec | |||
| To avoid that scenario, make sure this setting is only enabled for a short term duration. | |||
| ==== | |||
| [role=label--new-2025.03] | |||
| [[certificate-rotation]] | |||
| == Certificates rotation | |||
There was a problem hiding this comment.
Do we need to specify here: TLS certificates rotation?
| [source, properties] | ||
| ---- | ||
| dbms.security.tls_reload=true (default is false) |
There was a problem hiding this comment.
if this setting needs to be set up to true during the cluster deployment, I think we have to mention it on other pages where we talk how to deploy cluster in Neo4j. https://neo4j.com/docs/operations-manual/current/clustering/setup/deploy/.
Do we need to update pages in the Docker and Kubernetes sections?
There was a problem hiding this comment.
One more question: Do we need to mention this setting above https://neo4j.com/docs/operations-manual/current/security/ssl-framework/#ssl-configuration? where we talk about SSL configuration settings
There was a problem hiding this comment.
We could mention it on https://neo4j.com/docs/operations-manual/current/clustering/setup/deploy/ but I don't think we should - it's an optional feature and we don't mention SSL setup anywhere else on that page. I guess same applies to Docker and Kubernetes sections.
I don't think it needs to go above the other settings - again this is an optional feature and isn't required knowledge to fully understand and deploy the SSL configuration
| [source] | ||
| ---- | ||
| dbms.reloadTLSCertificates() |
There was a problem hiding this comment.
Is this a new procedure? Our test didn't show yet that we miss a procedure on our page https://neo4j.com/docs/operations-manual/current/procedures/. But looks like we need to add in this procedure there
There was a problem hiding this comment.
Yes it's a new procedure but not merged yet. I'll add it to this page too once we agree the name.
| dbms.reloadTLSCertificates() | ||
| ---- | ||
| . New settings will take effect immediately, however existing connections will not be pre-emptively terminated. |
There was a problem hiding this comment.
I think I need more details here. Does this mean that new connections will use new certificates, but the existing connections (established before the update) will continue using the old certificates until they expire?
There was a problem hiding this comment.
Yes exactly. It will not terminate existing connection. But any new connections will use the new certificates
There was a problem hiding this comment.
Even expired certificates won't cause a connection to terminate. The certificates are only used during the connection negotiation stage
Co-authored-by: NataliaIvakina <[email protected]>
|
This PR includes documentation updates Updated pages: |
Co-authored-by: NataliaIvakina <[email protected]>
https://trello.com/c/4hpH8ouM/429-dynamic-tls-certificates-with-online-rotation