Rotating NIA credentials

(NIA) manages three types of credentials, each with its own rotation procedure:

Attestation signing certificate — Uses the rotate-signing-credentials subcommand; requires a manual service restart after rotation.
TLS certificate — Re-run the NIA installer with new certificate files; the installer restarts the service automatically.
vCenter API credentials — Re-run the NIA installer with a new credentials file; the installer restarts the service automatically.

Before you begin

Network Identity Attestor must be deployed and running.
You need shell access to the NIA host as root or a user with sudo access.
Stage new credential files on the NIA host before starting rotation.

Rotate attestation signing certificates

The rotate-signing-credentials subcommand validates the new certificate and key pair, updates the encrypted systemd credential store, and retains the previous credentials as comments for rollback. You must restart the NIA service manually after running the subcommand.

Certificate requirements

The new signing certificate must meet all of the following requirements. See Network Identity Attestation reference for full details.

Key type: RSA (ECDSA and Ed25519 are not supported)
Key usage: Must include digitalSignature
CA constraint: Must not be a Certificate Authority (CA) certificate
Key match: The certificate and private key must belong to the same key pair

Steps

Register the new signing certificate in the Aembit Trust Provider before proceeding.

Run rotate-signing-credentials with the paths to your new signing key and certificate files:

sudo aembit_netid_attestor rotate-signing-credentials \
  --signing-key-path /path/to/new-signing-key.pem \
  --signing-cert-path /path/to/new-signing-cert.pem

The subcommand displays the new certificate’s metadata:

The new signing certificate:

    Fingerprint: E3:91:F2:2C:38:8D:A6:7C:69:59:A4:C0:AE:A8:3B:FE:CC:A9:D2:89:0C:D2:63:25:1C:AF:77:AC:63:CD:A6:3E
    Subject: C=US, O=Aembit, OU=Edge, CN=Aembit Customer Signing
    Issuer: C=US, O=Aembit, OU=Edge, CN=Aembit Customer CA Intermediate
    Valid from: May 11 20:39:25 2026 +00:00
    Valid until: Sep 25 20:39:25 2053 +00:00

Please verify that the fingerprint number displayed here also appears in the configuration of your Trust Provider.

Do you want to continue? [yes/no]

Verify the fingerprint matches the signing certificate you registered in the Trust Provider.
Enter yes at the prompt. The subcommand updates /etc/systemd/system/aembit_netid_attestor.service.d/50-credentials.conf and retains the previous credentials as comments.
Reload the systemd configuration to pick up the updated drop-in file:
Terminal window
```
sudo systemctl daemon-reload
```

Restart the NIA service:

sudo systemctl restart aembit_netid_attestor.service

Verify the service is healthy:

curl -k https://localhost:443/health

Expected response:

{"status":"Healthy","version":"1.29.307"}

Rollback

If you need to revert to the previous signing certificate:

Open the systemd credential file:

sudo nano /etc/systemd/system/aembit_netid_attestor.service.d/50-credentials.conf

Remove the new attestation_signing_key and attestation_signing_certificate entries, then uncomment the previous entries with the same names.

Reload and restart the service:

sudo systemctl daemon-reload
sudo systemctl restart aembit_netid_attestor.service

Common errors

The subcommand validates the credential pair before making any changes. If validation fails, the credential store is not modified.

Swapped key and certificate files — If you pass the certificate file where the key is expected:

The private key file must be in the unencrypted PKCS8 format; Expected header: PRIVATE KEY; Observed header: CERTIFICATE

Mismatched key and certificate — If the key and certificate do not belong to the same key pair:

The signing key and the signing certificate do not match.

Rotate TLS certificates

TLS certificate rotation re-runs the NIA installer with new certificate files. The installer re-encrypts all credentials and restarts the service automatically.

Steps

Copy the new TLS certificate and key files to the NIA host.

Set all required environment variables, including the new TLS paths. You must provide all required variables, not only the ones that changed:

export TLS_PEM_PATH=/path/to/new-tls-cert.pem
export TLS_KEY_PATH=/path/to/new-tls-key.pem
export AEMBIT_ATTESTATION_SIGNING_CERTIFICATE_PATH=/path/to/signing-cert.pem
export AEMBIT_ATTESTATION_SIGNING_KEY_PATH=/path/to/signing-key.pem
export AEMBIT_VCENTER_URL=https://vcenter.example.com
# Set all other required environment variables

Re-run the installer from the NIA installation directory:
Terminal window
```
sudo -E ./install.sh
```
The installer re-encrypts the credentials and restarts the service.
Verify the service is healthy:
Terminal window
```
curl -k https://localhost:443/health
```

Rotate vCenter API credentials

vCenter API credentials are read from a file at NIA startup. Rotating them requires re-running the NIA installer with a new credentials file. The installer re-encrypts all credentials and restarts the service automatically.

Steps

Create a new credentials file on the NIA host. The file must contain a single line in the format username:password:
```
vcenter-service-account@vsphere.local:password
```

Set all required environment variables, including the path to the new credentials file. You must provide all required variables, not only the ones that changed:

export AEMBIT_VCENTER_CREDENTIALS_FILE=/path/to/new-vcenter-credentials
export AEMBIT_VCENTER_URL=https://vcenter.example.com
export TLS_PEM_PATH=/path/to/tls-cert.pem
export TLS_KEY_PATH=/path/to/tls-key.pem
export AEMBIT_ATTESTATION_SIGNING_CERTIFICATE_PATH=/path/to/signing-cert.pem
export AEMBIT_ATTESTATION_SIGNING_KEY_PATH=/path/to/signing-key.pem
# Set all other required environment variables

Re-run the installer from the NIA installation directory:
Terminal window
```
sudo -E ./install.sh
```
The installer re-encrypts the credentials and restarts the service.
Verify the service is healthy:
Terminal window
```
curl -k https://localhost:443/health
```

High availability considerations

When multiple NIA instances are deployed in the same network segment and the Agent Proxy is configured with AEMBIT_NETWORK_ATTESTOR_URLS, you can rotate credentials on each NIA with no impact to workload attestation.

Rotate one NIA at a time. The Agent Proxy distributes requests across all configured NIAs, shuffling on each refresh cycle. When one NIA is restarted for credential rotation, the Agent Proxy continues serving attestation requests through the remaining instances. Workloads experience no attestation interruption during a rolling rotation.

When rotating attestation signing certificates across a pool of NIAs, coordinate Trust Provider updates with the rotation sequence:

All NIAs share one signing certificate — Publish the new certificate to the Trust Provider before restarting any NIA. Briefly, both the old and new certificate should be trusted in the Trust Provider during the rollout window. Rotate one NIA at a time.
Each NIA has its own signing certificate — Publish each replacement certificate to the Trust Provider before restarting that NIA. Rotate one NIA at a time.

For TLS and vCenter credential rotation, rotate one NIA at a time using the installer procedure in the relevant section above.