The cluster config has properties for "ThumbprintSecondary" for the Cluster and Server certificates to enable rolling upgrades of the certificates. How are client certificates upgraded?
"CertificateInformation": {
"ClusterCertificate": {
"Thumbprint": "[Thumbprint]",
"ThumbprintSecondary": "[Thumbprint]",
"X509StoreName": "My"
},
"ServerCertificate": {
"Thumbprint": "[Thumbprint]",
"ThumbprintSecondary": "[Thumbprint]",
"X509StoreName": "My"
},
"ClientCertificateThumbprints": [
{
"CertificateThumbprint": "[Thumbprint]",
"IsAdmin": false
},
{
"CertificateThumbprint": "[Thumbprint]",
"IsAdmin": true
}
],
"ClientCertificateCommonNames": [
{
"CertificateCommonName": "[CertificateCommonName]",
"CertificateIssuerThumbprint" : "[Thumbprint]",
"IsAdmin": true
}
]
There is no rollover process for client certificates, you simply update the list of recognized certificate thumbprints, removing thumbprints for client you want to cut off access for and adding the thumbprints for new ones.
Since it is only the thumbprints, not the actual certs that are rolled out and installed on all the nodes, the process is a little faster than changing cluster certificates.
I would recommend deploying an ARM-template with the updated list of allowed thumbprints if you are changing more than one thumbprint at the time since each change in the portal triggers an update of the Service Fabric nodes and that does take some time. If you update the entire lite in the ARM template it ends up as just one update operation.