Stay organized with collections
Save and categorize content based on your preferences.
Managing CA rotation
This page explains how you can manage the rotation of a CA in a CA pool. For more
information about CA pools, see Overview of CA pools.
Ensure seamless CA rotation
Ensuring seamless CA rotation is essential to avoid service downtime, or to deal with an emergency. The following procedure explains how you can seamlessly rotate a CA.
Find the CA pool for the existing CA that is due to expire.
Create a CA in the same CA pool.
The CA is created in the STAGED state and cannot issue certificates through CA pool load-balancing. CAs in the STAGED state can only issue certificates when requested directly by the clients. For more information about CA states, see CA states.
Ensure that all clients have downloaded the latest set of CA certificates from the CA pool.
Change the state of the new CA to ENABLED. This ensures that certificates can be issued from both the old and the new CA. For information about enabling certificate authorities, see Enable a CA.
Change the state of the old CA to DISABLED. This ensures that certificates won't be issued by the old CA. For information about disabling certificate authorities, see Disable a CA.
Wait until all clients have stopped using the certificates issued from the old CA. You can ensure that in two ways:
You can wait for the maximum certificate lifetime.
You can monitor the certificates being used by your clients.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["This guide explains how to manage the rotation of a Certificate Authority (CA) within a CA pool to prevent service disruptions or address emergencies."],["The CA rotation process involves creating a new CA in the `STAGED` state, ensuring clients receive the new CA certificates, and then enabling the new CA while disabling the old one."],["Before deleting the old CA, ensure that all clients have stopped using certificates issued by it, either by waiting for the maximum certificate lifetime or by monitoring client usage."],["The new CA will initially be in the `STAGED` state, meaning it can only issue certificates when requested directly, not through CA pool load-balancing, and must be transitioned to the `ENABLED` state for normal operation."],["After the old CA is disabled, it is still trusted by clients and is provided in the trust anchor for the CA pool, and this means the old CA can still issue certificates until all clients have stopped using them."]]],[]]
