edged rotate

Rotate the mTLS leaf certificate

Synopsis

rotate issues a new mTLS leaf certificate signed by the configured CA.

The CA private key must be set via ca_key_file in the transport section of the
config file. The existing leaf cert and key are atomically replaced.

Use this command to:
  - Manually force cert rotation at any time.
  - Recover from a partial-write state (cert/key mismatch after crash).

Exit codes:
  0  rotation succeeded
  1  config load or validation failed
  3  rotation failed (CA key missing, CA key unreadable, sign error, or write error)

Usage

edged rotate [flags]

Options

      --valid-days int   validity period for the new leaf cert (days) (default 365)

Options inherited from parent commands

      --config string            path to edge.toml configuration file (required)
      --control-socket string    unix socket path for local control RPC API (default "/run/edged/ctl.sock")
      --log-level string         override log level (debug|info|warn|error); uses config value if empty
      --prometheus-addr string   TCP address for Prometheus /metrics endpoint (e.g. :9090); disabled when empty