rotate_certificates
Rotate security certificates for Velociraptor deployments to maintain authentication integrity. Manage certificate validity periods and optionally rotate CA certificates with re-enrollment guidance.
Instructions
Rotate certificates for a deployment.
WARNING: Rotating CA certificate will require re-enrollment of all agents.
Args: deployment_id: The deployment to rotate certificates for rotate_ca: Also rotate the CA certificate (requires re-enrollment) validity_days: Validity period for new certificates
Returns: New certificate fingerprints and re-enrollment instructions.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| deployment_id | Yes | ||
| rotate_ca | No | ||
| validity_days | No |
Implementation Reference
- The `rotate_certificates` tool implementation, which manages CA and certificate rotation for Velociraptor deployments.
async def rotate_certificates( deployment_id: str, rotate_ca: bool = False, validity_days: int = 365, ) -> list[TextContent]: """Rotate certificates for a deployment. WARNING: Rotating CA certificate will require re-enrollment of all agents. Args: deployment_id: The deployment to rotate certificates for rotate_ca: Also rotate the CA certificate (requires re-enrollment) validity_days: Validity period for new certificates Returns: New certificate fingerprints and re-enrollment instructions. """ try: from ..deployment.security import CertificateManager from ..deployment.deployers import DockerDeployer # Get deployment info deployer = DockerDeployer() info = await deployer.get_status(deployment_id) if not info: return [TextContent( type="text", text=json.dumps({ "error": f"Deployment not found: {deployment_id}", "hint": "Use list_deployments tool to see available deployments" }, indent=2) )] # Load current certificates cert_manager = CertificateManager() bundle = cert_manager.load_bundle(deployment_id) if not bundle: return [TextContent( type="text", text=json.dumps({ "error": "Certificate bundle not found" }, indent=2) )] server_hostname = info.server_url.split("://")[1].split(":")[0] if rotate_ca: # Generate entirely new bundle new_bundle = cert_manager.generate_bundle( server_hostname=server_hostname, cert_validity_days=validity_days, ) cert_manager.save_bundle(new_bundle, deployment_id) return [TextContent( type="text", text=json.dumps({ "success": True, "ca_rotated": True, "new_ca_fingerprint": new_bundle.ca_fingerprint, "warning": "All agents must be re-enrolled with new configuration", "action_required": "Generate new agent installers and redeploy", }, indent=2) )] else: # TODO: Implement server/client cert rotation without CA return [TextContent( type="text", text=json.dumps({ "error": "Certificate rotation without CA is not yet implemented", "suggestion": "Use rotate_ca=True to perform full rotation" }, indent=2) )] except ImportError as e: return [TextContent( type="text", text=json.dumps({ "error": f"Missing dependency: {str(e)}", "hint": "Install required packages with: pip install megaraptor-mcp[deployment]" }, indent=2) )] except Exception: # Generic errors - don't expose internals return [TextContent( type="text", text=json.dumps({ "error": "Operation failed", "hint": "Check deployment configuration and try again" }, indent=2) )]