Updated on 2022-11-17 GMT+08:00

Rotating a Private CA

  • Private CA rotation is a process of replacing a CA that is about to expire with a new one.
  • The administrator of a private CA must set a proper validity period for the private CA.

    If the validity period is too long, the risk of key material leakage increases. If the validity period is too short, the private CA is frequently rotated, increasing the service overhead.

  • To ensure smooth service switchover, plan the rotation scheme of private CAs.

Procedure

  1. Create a CA, disable the old CA, and do not use the old CA to issue certificates. Use the new CA to issue new certificates, replace the certificates issued by the old CA with the new certificates, and deploy the certificates on the corresponding service nodes.

    • Before the old CA is replaced, the service system must trust both the new and old CAs.
    • If a subordinate CA is to be replaced, the service node can automatically trust both the new and old CAs as long as the new and old subordinate CAs have the same root CA.
    • If the root CA is to be replaced, put the new root CA in the trusted root certificate list of the service node before replacing the old one to ensure that the newly issued certificate is trusted.

  2. After the new certificate is in place, revoke and delete the old certificate, including the old CA.
  • A proper periodic private CA rotation scheme can ensure that certificates are continuously updated and prevent private keys from being cracked. An emergency private CA rotation scheme can prevent service loss caused by emergencies, such as private key leaks and CAs that become untrusted.
  • The new CA should have some identifiable version tags, such as ROOT CA G0----->ROOT CA G1, added to the subject name so that the new and old CAs can be quickly identified during private CA rotation.