When Velociraptor generates a configuration file it also generates some certificates to secure it’s internal PKI.
The CA certificate is embedded in the client’s configuration file and underpins the entire Velociraptor communications protocol - all certificates are issued by this internal CA. The Velociraptor CA is set to expire in 10 years.
The Server certificate is signed by the CA certificate and is set to expire in 1 year by default. When the certificate expires, clients will be unable to connect to the server any more.
You can check the expiry time of the server certificate using curl and openssl:
$ curl -s -k https://127.0.0.1:8000/server.pem | openssl x509 -text | grep -A 2 Validity Validity Not Before: Apr 13 12:05:46 2022 GMT Not After : Apr 13 12:05:46 2023 GMT
To rotate server certificates, simply use the following command to generate a new configuration file with rotated certificates:
$ velociraptor --config /etc/velociraptor/server.config.yaml config rotate_key > /tmp/new_key.config.yaml
You can view the new certificate using jq and openssl (here
used to show the PEM certificate of the frontend and
openssl is used
to decode it)
$ velociraptor --config /tmp/new_key.config.yaml config show --json | jq -r .Frontend.certificate | openssl x509 -text | grep -A 2 Validity Validity Not Before: Apr 25 21:01:51 2022 GMT Not After : Apr 25 21:01:51 2023 GMT
Now back up the old configuration file and replace it with the new file, then restart the server. Clients should reconnect automatically.