I have to prepare for a Root CA rotation and I am struggling to understand the different points in the documentation. I have read several github issues, Discuss topics, Vault tutorials and APIs but some uncertainties remain.
- Root rotation :
In my scenario, we have three PKI layer in their respective mount point : pki_root, pki_int and pki_iss in the descending order of the hierarchy. All of these have internal CA inside Vault.
pki_root CAs ---- signs----> pki_int CAs ----signs----> pki_iss CAs
For compliance issues, I have to create CA successors at half the liftime of the old CAs :
|____________ oldCA____________| |____________newCa____________|
The pki_int and pki_iss cases are good as they stem from the same Root, and the root is installed on clients.
When it comes to the Root CA, things are confusing for me. The documentations and tutorials tell to create a new root issuer in pki_root. So i have oldRoot and newRoot issuers. Then, the new root should be cross-signed by the old root inside pki_root as pki_root/intermediate.
The resulting chain for newRoot is said to be the following :
|oldRoot| -> |cross-signed newRoot| -> |newRoot|
so in a time format as I used before :
|__________________oldRoot____________________| |____________________newRoot____________________| |__cross-signed newRoot__|
Won’t this cause problems once oldRoot is expired ?
I mean we shouldn’t have signing CAs lasting shorter that leaf CAs. So won’t the chain cause problem at this moment or simply by using the timeframe allowed by the cross-signed newRoot to update Root CA to newRoot on clients will be sufficient ?
Should I edit the ca_chain of newRoot to “self” only once the oldRoot is expired ?
Also in this cross-signing scenario, should the pki_int CAs be directly signed by pki_root/newRoot or pki_root/cross-signed_newRoot in order to have valid automatic chains ?
pkit_root/oldRoot ___________signs_____________ | | v newRoot <--- same key materials ---> cross-signed newRoot | | | | |____signs or not ? |____signs or not ? | | | | v v pki_int/CA pki_int/CA
- per-issuer urls embedded in cert :
As all of this heavily relies on the multi-issuer ability of pki mounts, how can I make sure to have per-issuer ressources (url/uri) embedded in the CA cert for CRL,CA and OCSP ? We used to do with pki/config/urls before. The documentation states that we can update the issuer but it won’t update the certificate. Maybe i could create the issuer once, set issuer ressources and rotate the issuer to make these fields appear in the certificate ?
Thank your for your time, I know I have a lot questions as all of this is confusing me