While there are numerous sources out there detailing how to configure a trustpoint and add a ca and certificate to it. I've yet to find any details about updating a certificate once it expires.
Some of the things we've tried or considered:
- Re-import the cert using pkcs12 file import: fails because the key already exists.
- Delete the cert from the truststore: Last generic identity certificate for the switch. Delete not allowed. Please use force option if required.
- Add a second truststore, which trusts the same CA. It seems cumbersome to me if one has to create a new truststore each time a certificate needs to be renewed. Plus this requires reconfiguration of a service when a certificate is renewed, which would make for a complex automation process.
- Use the bash shell to manipulate the cert file. I'm not sure how a service like GRPC would then pick up the updated cert, as I'm not sure if the cert is read from file or config.
Surely there's an easy way to do this? Or does everyone just configure their GRPC clients to ignore invalid certificates?