Managing CA rotation
This page explains how you can manage the rotation of a CA in a CA pool. For more information about CA pools, see Overview of CA pools.
Ensure seamless CA rotation
Ensuring seamless CA rotation is essential to avoid service downtime, or to deal with an emergency. The following procedure explains how you can seamlessly rotate a CA.
- Find the CA pool for the existing CA that is due to expire.
Create a CA in the same CA pool. The CA is created in the
STAGED
state and cannot issue certificates through CA pool load-balancing. CAs in theSTAGED
state can only issue certificates when requested directly by the clients. For more information about CA states, see CA states.Ensure that all clients have downloaded the latest set of CA certificates from the CA pool.
Change the state of the new CA to
ENABLED
. This ensures that certificates can be issued from both the old and the new CA. For information about enabling certificate authorities, see Enable a CA.Change the state of the old CA to
DISABLED
. This ensures that certificates won't be issued by the old CA. For information about disabling certificate authorities, see Disable a CA.Wait until all clients have stopped using the certificates issued from the old CA. You can ensure that in two ways:
- You can wait for the maximum certificate lifetime.
- You can monitor the certificates being used by your clients.
Delete the old CA. For more information about deleting a CA, see Delete certificate authorities.
What's next
- Learn more about CA states.
- Learn how to manage CA states.
- Learn how to update CAs.