This process walks through how CA and server certificate of Harbor can be rotated when Harbor is deployed via OVA form factor. While rotating these certificates, the following points are important to note:

• These steps have been tested when OVA is using custom CA and server certificates.
  • If not using custom certificates, the steps are applicable, but how the new CA and server certificates are generated are out of scope of this process.
• If the CA certificate is rotated, make sure that the updated CA is pushed to clients, such as TKG Cluster, to make sure connection remains uninterrupted with Harbor.
• If only the server certificates are rotated and CA remains unchanged no changes are needed on the client side.

ls -lrth /storage/data/ca_download/ca.crt
-rw-r--r-- 1 10000 10000 2.0K Dec 12 04:55 /storage/data/ca_download/ca.crt

ls -lrth /storage/data/secret/cert
total 8.0K
-rw------- 1 10000 10000 3.2K Dec 12 04:55 server.key
-rw------- 1 10000 10000 2.0K Dec 12 04:55 server.crt

mkdir $HOME/harbor-original-certs
cp /storage/data/ca_download/ca.crt $HOME/harbor-original-certs/.
cp /storage/data/secret/cert/server.crt $HOME/harbor-original-certs/.
cp /storage/data/secret/cert/server.key $HOME/harbor-original-certs/.

ls -lrth $HOME/harbor-original-certs

total 12K
-rw-r----- 1 root root 2.0K Dec 12 07:06 ca.crt
-rw------- 1 root root 2.0K Dec 12 07:06 server.crt
-rw------- 1 root root 3.2K Dec 12 07:06 server.key

Stop Harbor services

systemctl stop harbor

cp $HOME/harbor-ca.pem /storage/data/ca_download/ca.crt
cp $HOME/harbor-server-cert.pem /storage/data/secret/cert/server.crt
cp $HOME/harbor-server-key.pem /storage/data/secret/cert/server.key

systemctl start harbor