autonomy cert rotate

Rotate an existing TLS leaf certificate in-place

Synopsis

Rotate an existing ECDSA P-256 leaf certificate in-place.

The existing certificate and key files are replaced atomically. If –identity is omitted, the Subject CN of the existing certificate is used.

Run this command before the certificate’s renewal window (default 30 days before expiry) to maintain uninterrupted mTLS connectivity.

Required RBAC permission: cert:manage. Set AUTONOMY_RBAC_ENFORCEMENT=0 to disable enforcement (not recommended in production).

Usage

autonomy cert rotate [flags]

Examples

# Rotate with identity read from existing cert
  autonomy cert rotate \
    --cert-file   /etc/edge/certs/node.crt \
    --key-file    /etc/edge/certs/node.key \
    --ca-cert     /etc/edge/certs/ca.crt \
    --ca-key      /etc/edge/certs/ca.key

  # Rotate with explicit identity override
  autonomy cert rotate \
    --cert-file   /etc/edge/certs/node.crt \
    --key-file    /etc/edge/certs/node.key \
    --ca-cert     /etc/edge/certs/ca.crt \
    --ca-key      /etc/edge/certs/ca.key \
    --identity    node-alpha.edge.io

Options

      --ca-cert string      path to CA certificate PEM (required)
      --ca-key string       path to CA private key PEM (required)
      --cert-file string    path to write the new leaf certificate PEM (required)
      --identity string     override node identity (default: Subject CN of existing cert)
      --key-file string     path to write the new leaf private key PEM (required)
      --validity-days int   certificate validity period in days (default 90)

See also

• autonomy cert — Manage TLS leaf certificates for edge node identity