Strimzi
Handling of Renewal of CA certificate #10273
Replies: 1 comment 6 replies
-
|
I don't think such things makes much sense. The server certificates have the same validity as the Strimzi-based CA and they would anyway not work when the CA expires. So it does not make sense to renew them separately. So why would you want to do that? |
Beta Was this translation helpful? Give feedback.
-
|
But you would still need to renew the CA sooner or later. |
Beta Was this translation helpful? Give feedback.
-
|
Yes.. For example, if we have validity of CA of 5 years and server certificate of 1 year. Until 5 years clients dont need to keep changing every year and whenever CA renews we have to renew server cert as well and for clients only Cluster CA matters but not server certs. |
Beta Was this translation helpful? Give feedback.
-
|
I don't think you have that with the Strimzi-based CA as the validity is the same for the CA as for the server certificates. |
Beta Was this translation helpful? Give feedback.
-
|
Okay. thanks for confirmation. on another note , Do you think is it something we can try to implement ? |
Beta Was this translation helpful? Give feedback.
-
|
Sorry, but implement what? As I said, the certificates are renewed together. So you cannot really renew just one of them because the other would expire. |
Beta Was this translation helpful? Give feedback.
-
Hi Team,
As per Strimzi, we see when we set "generateCertificateAuthority=true", the Cluster CA gets renewed with existing Key. and other option is to renew the private key as well.
Do we have option to not renew the Cluster CA and just renew the respective certs (brokers, zk, etc) which are signed by this particular signing authority. Reason for this clients can use the same truststore (generally root and intermediate signing authorities have longer duration than actual certs ) and have a separate renewal period for Cluster CA and individual component certs.
Beta Was this translation helpful? Give feedback.
All reactions