explain how to retire a cert (team#41174)

bbe2efe9 · anarcat · 4ba9e4db · bbe2efe9
Verified Commit bbe2efe9 authored 1 year ago by anarcat
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -99,6 +99,29 @@ CA to the certificate chain (`.crt-chained`).
 The cross-signed CA is available at https://repo.harica.gr but it may be simply
 copied from the previous certificate bundle.

+## Retiring a certificate
+
+If a certificate is not in use, it needs to be destroyed. Nagios will
+warn about the certificate expiring if it's not in use. For example:
+
+    WARN (1): tpa-bootstrap.torproject.org
+
+... tells us the `tpa-bootstrap.torproject.org` is going to expire,
+which is because the site was retired.
+
+To destroy this certificate, first remove it from the
+`letsencrypt-domains.git` repository, in the `domains` file.
+
+Then login to the name server (currently `nevii`) and destroy the
+repositories:
+
+    rm -r \
+        /srv/letsencrypt.torproject.org/var/result/tpa-bootstrap.torproject.org* \
+        /srv/letsencrypt.torproject.org/var/certs/tpa-bootstrap.torproject.org
+
+When you push the `letsencrypt-domains.git` repository, this will sync
+over to the `pauli` server and silence the warning.
+
 # How-to

 ## Pager playbook