Vault root CA rotation

Vault
3

Yes there is - @ambadiaravind said they are using the PKI backend which stores this in the Vault storage.

For root CAs, the “rotation” procedure is essentially to create a new one from scratch, and distribute it to all clients which need to trust it. (This is why root CAs typically have such a long lifetime.)

In Vault terms, this means mounting another instance of the PKI secrets engine at a new path in Vault, and setting it up from scratch, as you did before.

For intermediate CAs, the story is rather more complex, as unfortunately Vault does not currently have good support for this. Here are some questions you need to ask yourself, as they determine exactly how you will go about an intermediate CA renewal:

  • Does it matter if your intermediate CA is unable to issue certificates for a while? In Vault as it is today, if you generate a new intermediate key and CSR in your existing PKI secrets engine, it will then be offline until you get the CSR signed and the new certificate uploaded.

  • Do you care about your Authority Information Access (i.e. downloading the CA certificate), and CRL Distribution Point URLs continuing to work properly throughout the transition? In Vault as it is today, if you generate a new intermediate CA in an existing PKI secrets engine, the AIA URL will switch to serving the new CA, and the CRL will be signed by the new CA, which may break clients depending on them and expecting the old CA.

  • Do you still have a copy of the old intermediate CA’s CSR? If so, would resigning it as is be acceptable (no change to CA key or name)? This is the easiest way to handle a renewal with maximum compatibility in Vault today.

  • How hard would it be to get all clients to switch to a new PKI secrets engine path in Vault for talking to the new CA? (If feasible, handle the intermediate CA renewal by setting up a new PKI secrets engine at a different path and move users over to it.)

Some GitHub issues which provide some further background reading on this problem with Vault are workflow for rotating generated intermediates without downtime? · Issue #2581 · hashicorp/vault · GitHub and the other issues linked at the end of its conversation.