CA (and sub-CA) are going to expire

55 views
Skip to first unread message

james....@hootsuite.com

unread,
Sep 25, 2018, 2:35:22 PM9/25/18
to Vault
Hi,

We've got a few CA's in our Vault that are going to expire in about a year, and we've started talking about what's involved to extend/rotate/renew them. 

Is there any documentation on extending/rotating a CA cert, or should I be creating a new secrets endpoint with the new CA and try to migrate things over to it?

I can elaborate on our use cases if needed.

Thanks in advance!

   JAmes

Anthony Teisseire

unread,
May 16, 2019, 4:23:23 PM5/16/19
to Vault
Hello,

I'm considering using Vault as a PKI management system. I am also concerned about the renewal process of the CA and sub-CAs.
Did you ever find an answer to your question? I'd be interested to know the result of your findings.

Given the lack of documentation about this use case, I can imagine two directions so far (almost the same):
- Generate the CAs and SubCAs outside of Vault and keep the private keys safe. Import the CAs in Vault and handle the renewal manually, but this kind of defeats the purpose of using Vault in the first place (except for the generation of the final certificates).
- Generate the CAs and SubCAs in Vault and export the private key on their creation. Then follow the same process as above.

If anyone has a better option, I'd be glad to hear it.

Regards,

Anthony

Michel Vocks

unread,
May 17, 2019, 3:59:04 AM5/17/19
to Vault
Hi Anthony,

I'm wondering about the use-case of the renewal of a CA root certificate. Usually, you generate a root certificate with a long TTL (10-20 years).
This is fine since the private key is only stored inside of Vault and is never exposed to the outside (type internal). If the root certificate really expires (after 10-20 years), I highly recommend to generate a new root certificate and migrate to the new one.

Do I miss something critical here?

Cheers,
Michel

Anthony Teisseire

unread,
May 18, 2019, 12:32:05 PM5/18/19
to Vault
Hi Michel,

Ultimately my original question was around the practice of keeping the original private key and reissuing a root CA from it.
After further reading on PKIs, I see that changing both the private key and the certificate of the Root CA seems to be quite a common practice. If that's the way the Vault PKI plugin was designed in the first place, I'm okay with that. What I am trying to do here is to make the future process of renewal as easy as possible on the guy who will eventually be responsible for it in 10 years from now.

Thanks for the answer!

Best Regards,

Anthony
Reply all
Reply to author
Forward
0 new messages