Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page

Was this helpful?

  1. Troubleshooting

CA Validity Period

Perform the recommended actions based on the status of the CA validity period that was reported by PKI health check.

The CA Validity Period health check monitors the expiration timelines of your root and intermediate Certificate Authorities (CAs) to help you maintain a secure and uninterrupted PKI infrastructure.

Health Check Name: ca_validity_period

Accessed APIs (Unauthenticated):

  • LIST /issuers

  • READ /issuer/:issuer_ref/json

Configuration Parameters:

Parameter
Description

root_expiry_critical (default: 182d)

Duration within which a root CA's expiry is considered critical

intermediate_expiry_critical (default: 30d)

Duration within which an intermediate CA's expiry is critical

root_expiry_warning (default: 365d)

Duration within which a root CA's expiry triggers a warning

intermediate_expiry_warning (default: 60d)

Duration within which an intermediate CA's expiry triggers a warning

root_expiry_informational (default: 730d)

Duration within which a root CA's expiry is marked as informational

intermediate_expiry_informational (default: 180d)

Duration within which an intermediate CA's expiry is informational

Health Check Results

This check evaluates all issuers in the mount and reports CA validity status based on expiry windows:

Expiry Window
Severity
Applies To

≤ 30 days

Critical

Any CA

≤ 12 months

Warning

Root CA

≤ 2 months

Warning

Intermediate CA

≤ 24 months

Informational

Root CA

≤ 6 months

Informational

Intermediate CA

Recommended Actions:

  1. Rotate CAs: Perform CA rotation to replace expiring CAs before they reach critical thresholds.

  2. Migrate Workloads: Ensure workloads use the newly rotated CAs.

  3. Clean Up Expired CAs using one of the following methods:

    • Manually tidy up expired issuers:

      vhsm write <mount>/tidy tidy_expired_issuers=true
    • Delete expired CAs using the vHSM's API's DELETE /issuer/:issuer_id endpoint.

Tip: You can customize the thresholds in your PKI configuration to suit your operational policies and CA lifecycles.

Previousvhsm version-historyNextCRL Validity Period

Last updated 2 months ago

Was this helpful?