CA Validity Period
Perform the recommended actions based on the status of the CA validity period that was reported by PKI health check.
The CA Validity Period health check monitors the expiration timelines of your root and intermediate Certificate Authorities (CAs) to help you maintain a secure and uninterrupted PKI infrastructure.
Health Check Name: ca_validity_period
ca_validity_periodAccessed APIs (Unauthenticated):
LIST /issuersREAD /issuer/:issuer_ref/json
Configuration Parameters:
root_expiry_critical (default: 182d)
Duration within which a root CA's expiry is considered critical
intermediate_expiry_critical (default: 30d)
Duration within which an intermediate CA's expiry is critical
root_expiry_warning (default: 365d)
Duration within which a root CA's expiry triggers a warning
intermediate_expiry_warning (default: 60d)
Duration within which an intermediate CA's expiry triggers a warning
root_expiry_informational (default: 730d)
Duration within which a root CA's expiry is marked as informational
intermediate_expiry_informational (default: 180d)
Duration within which an intermediate CA's expiry is informational
Health Check Results
This check evaluates all issuers in the mount and reports CA validity status based on expiry windows:
≤ 30 days
Critical
Any CA
≤ 12 months
Warning
Root CA
≤ 2 months
Warning
Intermediate CA
≤ 24 months
Informational
Root CA
≤ 6 months
Informational
Intermediate CA
Recommended Actions:
Rotate CAs: Perform CA rotation to replace expiring CAs before they reach critical thresholds.
Migrate Workloads: Ensure workloads use the newly rotated CAs.
Clean Up Expired CAs using one of the following methods:
Manually tidy up expired issuers:
vhsm write <mount>/tidy tidy_expired_issuers=trueDelete expired CAs using the vHSM's API's
DELETE /issuer/:issuer_idendpoint.
Last updated
Was this helpful?