search
Home

CA Validity Period

Perform the recommended actions based on the status of the CA validity period that was reported by PKI health check.

The CA Validity Period health check monitors the expiration timelines of your root and intermediate Certificate Authorities (CAs) to help you maintain a secure and uninterrupted PKI infrastructure.

hashtag
Health Check Name: ca_validity_period

Accessed APIs (Unauthenticated):

  • LIST /issuers

  • READ /issuer/:issuer_ref/json

hashtag
Configuration Parameters:

Parameter
Description

root_expiry_critical (default: 182d)

Duration within which a root CA's expiry is considered critical

intermediate_expiry_critical (default: 30d)

Duration within which an intermediate CA's expiry is critical

root_expiry_warning (default: 365d)

Duration within which a root CA's expiry triggers a warning

intermediate_expiry_warning (default: 60d)

Duration within which an intermediate CA's expiry triggers a warning

root_expiry_informational (default: 730d)

Duration within which a root CA's expiry is marked as informational

intermediate_expiry_informational (default: 180d)

Duration within which an intermediate CA's expiry is informational

hashtag
Health Check Results

This check evaluates all issuers in the mount and reports CA validity status based on expiry windows:

Expiry Window
Severity
Applies To

≤ 30 days

Critical

Any CA

≤ 12 months

Warning

Root CA

≤ 2 months

Warning

Intermediate CA

≤ 24 months

Informational

Root CA

≤ 6 months

Informational

Intermediate CA

hashtag
Recommended Actions:

  1. Rotate CAs: Perform CA rotation to replace expiring CAs before they reach critical thresholds.

  2. Migrate Workloads: Ensure workloads use the newly rotated CAs.

  3. Clean Up Expired CAs using one of the following methods:

    • Manually tidy up expired issuers:

    • Delete expired CAs using the vHSM's API's DELETE /issuer/:issuer_id endpoint.

circle-info

Tip: You can customize the thresholds in your PKI configuration to suit your operational policies and CA lifecycles.

PreviousTroubleshootingNextCRL Validity Period

Last updated

Was this helpful?