How to rotate Root CA for running self-hosted step-ca server ?

[chris-lee-lb]

Hello,

As title, I want to figure out the correct steps for it. After some googling, I still can not found any information about it.

I do found this official blog post - https://smallstep.com/blog/step-v0.8.3-federation-root-rotation/

But as my understanding, It says I can use federation (multiple Root CAs) to do seamlessly rotate root certificates, but do not have any informations that covers root rotations.

Second thoughts is that maybe I can use step-ca JSON API, but I also can not find any docs for json api endpoint usage.

Thanks in advance.

[chris-lee-lb]

Currently I found this issue and related PR for this topic.

#19
#22

Looks like step ca do have related mechanism with following steps.

1. CA is configured with rootA.
2. BootstrapServer/BootstrapClient are created, accepting only rootA.
3. CA is updated and adds rootB, rootA and rootB are accepted.
4. BootstrapServer/BootstrapClient do a renew and include rootB into the trusted pools
5. CA can now create new intermediates and remove rootA.
6. BootstrapServer/BootstrapClient will able to renew with rootB.

But I still can not figure out how to do these steps actually.

Thanks in advance.

[maraino]

We should be able to configure step-ca helm chart with two roots, but I will have to look into that it might not be straightforward.

[maraino]

Right now you cannot manually change the output of step ca init --helm to configure two roots, but you can manually edit the certs and config ConfigMaps to add the second root.

I think I will add a new change, so the second certificate is not required and you can just bundle the old root with the new one. This way you will need is to add it to the output of step ca init --helm

[maraino]

@chris-lee-lb I've added a PR to support root bundles #1169, so in the output of step ca init --helm you can append multiple roots :)

[maraino]

Autocert pods will either require a rollout restart. The other option would be to configure custom bootstrappers and/or renewer containers and add an extra command to get all the roots.

[chris-lee-lb]

@maraino Thanks for your nice works. 🎉

And for Autocert, I also create the related issue for this case. (smallstep/autocert#67), and I also have some idea in the comments. Hope it be helpful.

[ken-master]

hi @chris-lee-lb were you able to implement and configure these stuff.. I am in a same situation. Thanks.