# CA Validity Period

The CA Validity Period health check monitors the expiration timelines of your root and intermediate Certificate Authorities (CAs) to help you maintain a secure and uninterrupted PKI infrastructure.

#### Health Check Name: **`ca_validity_period`**

**Accessed APIs (Unauthenticated)**:

* `LIST /issuers`
* `READ /issuer/:issuer_ref/json`

#### Configuration Parameters:

| Parameter                                             | Description                                                          |
| ----------------------------------------------------- | -------------------------------------------------------------------- |
| `root_expiry_critical` (default: `182d`)              | Duration within which a root CA's expiry is considered critical      |
| `intermediate_expiry_critical` (default: `30d`)       | Duration within which an intermediate CA's expiry is critical        |
| `root_expiry_warning` (default: `365d`)               | Duration within which a root CA's expiry triggers a warning          |
| `intermediate_expiry_warning` (default: `60d`)        | Duration within which an intermediate CA's expiry triggers a warning |
| `root_expiry_informational` (default: `730d`)         | Duration within which a root CA's expiry is marked as informational  |
| `intermediate_expiry_informational` (default: `180d`) | Duration within which an intermediate CA's expiry is informational   |

#### Health Check Results

This check evaluates *all issuers in the mount* and reports CA validity status based on expiry windows:

| Expiry Window | Severity          | Applies To      |
| ------------- | ----------------- | --------------- |
| ≤ 30 days     | **Critical**      | Any CA          |
| ≤ 12 months   | **Warning**       | Root CA         |
| ≤ 2 months    | **Warning**       | Intermediate CA |
| ≤ 24 months   | **Informational** | Root CA         |
| ≤ 6 months    | **Informational** | Intermediate CA |

#### Recommended Actions:

1. Rotate CAs: Perform CA rotation to replace expiring CAs before they reach critical thresholds.
2. Migrate Workloads: Ensure workloads use the newly rotated CAs.
3. Clean Up Expired CAs using one of the following methods:
   * Manually tidy up expired issuers:

     ```bash
     vhsm write <mount>/tidy tidy_expired_issuers=true
     ```
   * Delete expired CAs using the vHSM's API's `DELETE /issuer/:issuer_id` endpoint.

{% hint style="info" %}
**Tip**: You can customize the thresholds in your PKI configuration to suit your operational policies and CA lifecycles.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/troubleshooting/ca-validity-period.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.