CA Validity Period

Perform the recommended actions based on the status of the CA validity period that was reported by PKI health check.

The CA Validity Period health check monitors the expiration timelines of your root and intermediate Certificate Authorities (CAs) to help you maintain a secure and uninterrupted PKI infrastructure.

Health Check Name: ca_validity_period

Accessed APIs (Unauthenticated):

  • LIST /issuers

  • READ /issuer/:issuer_ref/json

Configuration Parameters:

Parameter
Description

root_expiry_critical (default: 182d)

Duration within which a root CA's expiry is considered critical

intermediate_expiry_critical (default: 30d)

Duration within which an intermediate CA's expiry is critical

root_expiry_warning (default: 365d)

Duration within which a root CA's expiry triggers a warning

intermediate_expiry_warning (default: 60d)

Duration within which an intermediate CA's expiry triggers a warning

root_expiry_informational (default: 730d)

Duration within which a root CA's expiry is marked as informational

intermediate_expiry_informational (default: 180d)

Duration within which an intermediate CA's expiry is informational

Health Check Results

This check evaluates all issuers in the mount and reports CA validity status based on expiry windows:

Expiry Window
Severity
Applies To

≤ 30 days

Critical

Any CA

≤ 12 months

Warning

Root CA

≤ 2 months

Warning

Intermediate CA

≤ 24 months

Informational

Root CA

≤ 6 months

Informational

Intermediate CA

  1. Rotate CAs: Perform CA rotation to replace expiring CAs before they reach critical thresholds.

  2. Migrate Workloads: Ensure workloads use the newly rotated CAs.

  3. Clean Up Expired CAs using one of the following methods:

    • Manually tidy up expired issuers:

      vhsm write <mount>/tidy tidy_expired_issuers=true
    • Delete expired CAs using the vHSM's API's DELETE /issuer/:issuer_id endpoint.

Tip: You can customize the thresholds in your PKI configuration to suit your operational policies and CA lifecycles.

Last updated

Was this helpful?