Self Signed X.509 Certificates

If you have the charm deployed from the latest/stable track we recommend migrating to 1/stable immediately as latest is deprecated.

To keep using your current CA follow these steps:

1. Rename the secret owned by self-signed-certificates that contains the CA from ca-certificates to active-ca-certificates

juju update-secret <secret-id> --name active-ca-certificates

2. Refresh the charm using the following config options

• Set root-ca-validity and certificate-validity to match the values from your current deployment, for example if you had certificate-validity set to 10 now you need to set it to 10d
• ca-country-name to US as it was a default value in latest

juju refresh ssc --channel 1/edge --config certificate-validity=10d --config root-ca-validity=365d --config ca-country-name="US"

If keeping the current CA is not a concern:

1. Rename the secret

juju update-secret <secret-id> --name active-ca-certificates

2. Refresh the charm

juju refresh ssc --channel 1/stable

3. Configure the charm with your desired config values (This step is essential for issued certificates to be rotated and new certificates to be issued by the new CA)

For example:

juju config ssc certificate-validity=30d

Or rotate the private key if no config changes are desired

juju run ssc/0 rotate-private-key