Details

    • Sub-task
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Security

    Description

      Revoking the root CA certificate effectively means the system has to re-create all certificates used internally, and with that it is a tedious process.

      Prerequisite for this task is to have all the certificate rotation logic implemented, but in case of revocation we need to do the process in an expedited way within just a few hours tops without causing impacts to the service.

      The procedure should involve a few things:

      • at start a new root CA certificate has to be created, and similarly as when the root CA certificate is being rotated, new subordinate CA certificates have to be created and rotated in
      • as the next step all certificates in the system has to be revoked, and renewed during the default grace period within which the certificates are renewed after revocation
      • once all the certificates are renewed, the old subordinate CA certificates and the rootCA certificate has to be revoked as well
      • once the services notice the revocation of the old rootCA certificate, the old rootCA certificate has to be removed from the trust stores of active and to be created connections

      Attachments

        Activity

          People

            pifta István Fajth
            pifta István Fajth
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: