This document explains how you can manage the rotation of a CA in a CA pool. For more information about CA pools, see CA pools.
Ensuring seamless CA rotation
Ensuring seamless CA rotation is essential to avoid a service downtime. The following procedure explains how you can seamlessly rotate a CA.
- Find the CA pool for the existing CA that is due to expire.
Create a CA in the same CA pool. The CA is created in the
STAGEDstate and cannot issue certificates through CA pool load-balancing. CAs in the
STAGEDstate can only issue certificates when requested directly by the clients. For more information about CA states, see CA states.
Ensure that all clients have downloaded the latest set of CA certificates from the CA pool.
Change the state of the new CA to
ENABLED. This ensures that certificates can be issued from both the old and the new CA. For information about enabling certificate authorities, see Enabling a CA.
Change the state of the old CA to
DISABLED. This ensures that certificates can only be issued from the new CA. For information about disabling certificate authorities, see Disabling a CA.
Wait until all clients have stopped using the certificates issued from the old CA. You can ensure that in two ways:
- You can wait for the maximum certificate lifetime.
- You can monitor the certificates being used by your clients.
Delete the old CA. For more information about deleting a CA, see Deleting a CA.