Updating the gateway peering certificate

How to update the certificate that is used to secure communication between gateways.

The behavior when you update the gateway peering certificate depends on the certificate type:

  • Self-signed gateway peering certificate:

    Gateway downtime and a split-brain occurs when you rotate gateway peering certificate that is used by the apic-gw-service. When you change one of the peer group nodes, it is detached from the peer-group and becomes a stand-alone node (claiming itself a self-primary). The other nodes consider the node down until it is re-synced back.

  • CA signed gateway peering certificate:

    To avoid downtime, create a crypto validation credential object that contains the certificate issuers. When the validation credential is placed in the peer-group, rotating a leaf certificate (that is signed by the same issuer) does not cause gateway-peering downtime or a split-brain. If you have a new issuer certificate, then the behavior is the same as with a self-signed certificate.