Rotating Internal Certificate Authority

The streaming agent used by EOS devices and other applications that communicate with each other in CloudVision uses mutual TLS certificates signed by a local certificate authority (CA). To prevent the CA from expiring in the future, you should rotate the CA. Once rotated, by default, the CA becomes valid for a hundred years. This process re-signs the certificates used by each EOS device's streaming agent and internal applications that communicate with CloudVision. The streaming agent version on all devices must be at least 1.26.0 to use this feature.

You get the first notification through an event message around 90 days prior to the certificate expiry.

To rotate a certificate, go to Settings (gear icon) > Certificates on the CloudVision portal. The CA rotation process takes several minutes, and it is necessary to plan a maintenance window before rotating a CA. See the images below.

Figure 1. Certificate Authority Rotation page

Click Rotate Certificate Authority.

Figure 2. Confirmation Page to Rotate CA

Click Rotate.

Note: During this process, the CloudVision portal becomes inaccessible, and the page displays only the progress of the rotation. Do not close the window or the browser, and do not navigate away from the page. The rotation process takes several minutes (more than 10 minutes). Wait until the rotation process is completed when the browser tab gets refreshed. See image below.
Figure 3. CA Rotation Status Window

Once the rotation process is complete, click Close at the bottom of the page.
Figure 4. CA Rotation Complete Status

The browser tab refreshes, and the CA rotation is completed. The new CA is now valid for one hundred years and the devices get automatically re-enrolled, and the devices stop streaming momentarily to CloudVision while NGINX reboots.

If you see any errors during the CA rotation process, you can retry the rotation. If the rotation process fails after multiple retries, then you must contact Arista Support team (TAC) for a resolution.