Self Hosted Root CA 10 year expiry renewal. #2152

ken-master · 2025-01-31T07:52:44Z

ken-master
Jan 31, 2025

Setup: Self-hosted

So Root CA expiration has a 10years validity. we want to rotate or renew the root ca at 1 year before it expires. What I was testing is to create a new Root CA with different port. i.e

old: ca-root-url.com
new: ca-root-url.com:9000

bootstrap to the new ca url
re-create the crt/key from the new ca url
decommission the old ca- url

this seems tedious to implement. is there a straightforward implementation for this?

Answered by tashian

Feb 3, 2025

It can be a complex process to rotate roots.

The general steps are:

Stand up a second CA and new root
Add the new root to all clients as trusted
Migrate all certificate issuance over to the new CA
Remove old root as trusted (optional)
Turn off the old CA

One thing we've added to simplify things a little, in the step client, is the contexts feature.
It lets you easily manage multiple CA connections.

View full answer

tashian · 2025-02-03T03:34:48Z

tashian
Feb 3, 2025
Collaborator

It can be a complex process to rotate roots.

The general steps are:

Stand up a second CA and new root
Add the new root to all clients as trusted
Migrate all certificate issuance over to the new CA
Remove old root as trusted (optional)
Turn off the old CA

One thing we've added to simplify things a little, in the step client, is the contexts feature.
It lets you easily manage multiple CA connections.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Self Hosted Root CA 10 year expiry renewal. #2152

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Self Hosted Root CA 10 year expiry renewal. #2152

ken-master Jan 31, 2025

Replies: 1 comment

tashian Feb 3, 2025 Collaborator

ken-master
Jan 31, 2025

tashian
Feb 3, 2025
Collaborator