Rotating Your Private Certificate

Private certificates (including private keys) are deployed on service nodes and are frequently used for encrypted communications. To prevent private key leakage, the validity period and rotation period of private certificates should be configured based on your service security requirements. Private certificate rotation means using a new private certificate to replace the old one. For example, if a private certificate is used for an encrypted meeting that is highly confidential, the validity period of the private certificate is usually at the hour level. If a private certificate is deployed on a web server, the validity period is usually at the year level. Currently, the validity period of SSL certificates issued by an international certificate authority is basically one year.

The rotation period of a private certificate is set based on its expiration date. The basic principle for certificate rotation is to replace the old private certificate with the new one on the corresponding working node before the old one expires, preventing communications interruption caused by the expiration of the private certificate.

• To prevent service interruption caused by the expiration of the old private certificate, enough time should be reserved to ensure that a private certificate can be successfully rotated as a longer period may be required to re-rotate or manually rotate an old private certificate once the first rotation fails due to uncontrollable factors.
• If the replaced old private certificate still has a long validity period, revoke it to prevent abuse.
• If the old and new private certificates have different root CAs, add the new root CA to the root CA trust list.