憑證更新與輪換
System ↔ System監控到期 → 更新 → 驗證 → 部署 → 確認。
5 個節點 · 5 條連接security
systemapicli
視覺化
監控憑證到期system
到期前 30 天發出告警。
↓conditional→ 申請更新
申請更新api
透過 ACME/Let's Encrypt 或憑證機構進行更新。
↓sequential→ 驗證新憑證
驗證新憑證system
檢查憑證鏈、SAN 及金鑰強度。
↓sequential→ 部署憑證
部署憑證cli
更新負載平衡器、CDN 及各服務。
↓sequential→ TLS 連線測試
TLS 連線測試cicd
驗證所有端點的 HTTPS 正常運作。
↓fallback→ 部署憑證
uc-cert-renewal.osop.yaml
osop_version: "1.0"
id: "cert-renewal"
name:"憑證更新與輪換"
description:"監控到期 → 更新 → 驗證 → 部署 → 確認。"
nodes:
- id: "monitor_expiry"
type: "system"
name: "監控憑證到期"
description: "到期前 30 天發出告警。"
- id: "renew"
type: "api"
name: "申請更新"
description: "透過 ACME/Let's Encrypt 或憑證機構進行更新。"
retry_policy:
max_attempts: 3
- id: "validate_cert"
type: "system"
name: "驗證新憑證"
description: "檢查憑證鏈、SAN 及金鑰強度。"
- id: "deploy"
type: "cli"
subtype: "script"
name: "部署憑證"
description: "更新負載平衡器、CDN 及各服務。"
security:
risk_level: "high"
- id: "verify"
type: "cicd"
subtype: "test"
name: "TLS 連線測試"
description: "驗證所有端點的 HTTPS 正常運作。"
edges:
- from: "monitor_expiry"
to: "renew"
mode: "conditional"
when: "days_until_expiry <= 30"
- from: "renew"
to: "validate_cert"
mode: "sequential"
- from: "validate_cert"
to: "deploy"
mode: "sequential"
- from: "deploy"
to: "verify"
mode: "sequential"
- from: "verify"
to: "deploy"
mode: "fallback"
label: "Rollback to old cert"