Rotating the ingestion root Certification Authority (CA) certificate is a delicate process that must be performed with special care. It's a three-step process that provisions a new root CA certificate for your instance, then invalidates the previous root CA certificate.
Root CA rotation is only necessary when ingesting data using mutual TLS authentication (mTLS), and
- The root CA certificate of your CLS instance is expiring soon, or
- The private key of a client certificate was leaked.
Not following this process can result in premature invalidation of certificates and, as a result, interruption of log ingestion.
-
Create a new Root CA certificate.
Start the root CA certificate rotation by updating the
rotate_root_caConfiguration Parameters fromfalsetotrue. This creates a new root CA certificate for your service instance, while retaining the previous root CA certificate. Bindings created before the service instance update continue to work, so ingestion isn't affected. New bindings return certificates issued by the new root CA. -
Rebind all Applications.
With the new root CA certificate in place, create new bindings for each shipping mechanism. Since this process depends on the sending mechanism, refer to Ingest Observability Data.
-
Delete the old root CA certificate.
After recreating all of your ingestion-related bindings, update your service instance configuration
rotate_root_caservice parameter tofalse. Afterwards, validate that the ingestion still works as expected for all bindings.