Hi Consul community,
We’re managing a production Consul cluster and our RPC TLS CA certificates are approaching expiration (originally set to 10 years/3650 days). We’re trying to determine if there’s a way to extend the expiration date of our existing CA certificate without going through a full rotation process.
Our Current Rotation Process:
When rotating certificates, we use the following approach to maintain zero-downtime:
-
Generate new CA and server certificates on a Consul instance using consul tls ca create and consul tls cert create
-
Create a combined CA bundle containing both old and new CA certificates
-
Update AWS Secrets Manager with the combined bundle
-
Reload Consul + systemctl restart on all instances (using consul reload, NOT instance termination)
-
Followers first, then leader last
-
Each instance fetches the combined CA from Secrets Manager
Questions:
-
Is there a way to extend the expiration date of an existing CA certificate without generating a new one? This would help us avoid the rotation process entirely for certificates that are otherwise still secure.
-
Can you confirm our understanding is correct: The RPC TLS CA is completely separate from the Connect CA (auto-generated and stored in Raft), so rotating the RPC CA should NOT affect:
-
Service mesh operations
-
Connect CA roots
-
Service-to-service mTLS via Envoy
-
Connect intentions
- Does our rotation approach follow best practices? Specifically, using combined CA bundles with config reload and restart vs instance termination?
Any guidance would be greatly appreciated!