Certificate Renewal & Rotation
System ↔ SystemMonitor expiry → renew → validate → deploy → verify.
5 nodes · 5 edgessecurity
systemapicli
Visual
Monitor Certificate Expirysystem
Alert 30 days before expiration.
↓conditional→ Request Renewal
Request Renewalapi
ACME/Let's Encrypt or CA renewal.
↓sequential→ Validate New Certificate
Validate New Certificatesystem
Check chain, SANs, key strength.
↓sequential→ Deploy Certificate
Deploy Certificatecli
Update load balancers, CDN, services.
↓sequential→ TLS Connectivity Test
TLS Connectivity Testcicd
Verify HTTPS works on all endpoints.
↓fallback→ Deploy Certificate
uc-cert-renewal.osop.yaml
osop_version: "1.0"
id: "cert-renewal"
name: "Certificate Renewal & Rotation"
description: "Monitor expiry → renew → validate → deploy → verify."
nodes:
- id: "monitor_expiry"
type: "system"
name: "Monitor Certificate Expiry"
description: "Alert 30 days before expiration."
- id: "renew"
type: "api"
name: "Request Renewal"
description: "ACME/Let's Encrypt or CA renewal."
retry_policy:
max_attempts: 3
- id: "validate_cert"
type: "system"
name: "Validate New Certificate"
description: "Check chain, SANs, key strength."
- id: "deploy"
type: "cli"
subtype: "script"
name: "Deploy Certificate"
description: "Update load balancers, CDN, services."
security:
risk_level: "high"
- id: "verify"
type: "cicd"
subtype: "test"
name: "TLS Connectivity Test"
description: "Verify HTTPS works on all endpoints."
edges:
- from: "monitor_expiry"
to: "renew"
mode: "conditional"
when: "days_until_expiry <= 30"
- from: "renew"
to: "validate_cert"
mode: "sequential"
- from: "validate_cert"
to: "deploy"
mode: "sequential"
- from: "deploy"
to: "verify"
mode: "sequential"
- from: "verify"
to: "deploy"
mode: "fallback"
label: "Rollback to old cert"