Stay organized with collectionsSave and categorize content based on your preferences.
Managing CA rotation
This page explains how you can manage the rotation of a CA in a CA pool. For more
information about CA pools, seeOverview of CA pools.
Ensure seamless CA rotation
Ensuring seamless CA rotation is essential to avoid service downtime, or to deal with an emergency. The following procedure explains how you can seamlessly rotate a CA.
Find the CA pool for the existing CA that is due to expire.
Create a CA in the same CA pool.
The CA is created in theSTAGEDstate and cannot issue certificates through CA pool load-balancing. CAs in theSTAGEDstate can only issue certificates when requested directly by the clients. For more information about CA states, seeCA states.
Ensure that all clients have downloaded the latest set of CA certificates from the CA pool.
Change the state of the new CA toENABLED. This ensures that certificates can be issued from both the old and the new CA. For information about enabling certificate authorities, seeEnable a CA.
Change the state of the old CA toDISABLED. This ensures that certificates won't be issued by the old CA. For information about disabling certificate authorities, seeDisable a CA.
Wait until all clients have stopped using the certificates issued from the old CA. You can ensure that in two ways:
You can wait for the maximum certificate lifetime.
You can monitor the certificates being used by your clients.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide explains how to manage the rotation of a Certificate Authority (CA) within a CA pool to prevent service disruptions or address emergencies.\u003c/p\u003e\n"],["\u003cp\u003eThe CA rotation process involves creating a new CA in the \u003ccode\u003eSTAGED\u003c/code\u003e state, ensuring clients receive the new CA certificates, and then enabling the new CA while disabling the old one.\u003c/p\u003e\n"],["\u003cp\u003eBefore deleting the old CA, ensure that all clients have stopped using certificates issued by it, either by waiting for the maximum certificate lifetime or by monitoring client usage.\u003c/p\u003e\n"],["\u003cp\u003eThe new CA will initially be in the \u003ccode\u003eSTAGED\u003c/code\u003e state, meaning it can only issue certificates when requested directly, not through CA pool load-balancing, and must be transitioned to the \u003ccode\u003eENABLED\u003c/code\u003e state for normal operation.\u003c/p\u003e\n"],["\u003cp\u003eAfter the old CA is disabled, it is still trusted by clients and is provided in the trust anchor for the CA pool, and this means the old CA can still issue certificates until all clients have stopped using them.\u003c/p\u003e\n"]]],[],null,["# Managing CA rotation\n====================\n\nThis page explains how you can manage the rotation of a CA in a CA pool. For more\ninformation about CA pools, see [Overview of CA pools](/certificate-authority-service/docs/ca-pool).\n| **Note:** This document provides general guidance on managing CA rotation. We recommend that organizations carefully construct their processes in consultation with security experts.\n\nEnsure seamless CA rotation\n---------------------------\n\nEnsuring seamless CA rotation is essential to avoid service downtime, or to deal with an emergency. The following procedure explains how you can seamlessly rotate a CA.\n\n1. Find the CA pool for the existing CA that is due to expire.\n2. Create a CA in the same CA pool.\n The CA is created in the `STAGED` state and cannot issue certificates through CA pool load-balancing. CAs in the `STAGED` state can only issue certificates when requested directly by the clients. For more information about CA states, see [CA states](/certificate-authority-service/docs/certificate-authority-states).\n\n3. Ensure that all clients have downloaded the latest set of CA certificates from the CA pool.\n\n | **Note:** Verify that all your clients have received the new certificates. The clients must use the [fetchCaCerts](/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools/fetchCaCerts) API to retrieve the CA certificates. If you have configured your clients to automatically download the latest set of certificates from the CA pool, then you have to wait until all your clients get the new certificates. Otherwise, you can explicitly publish the new set of certificates to your clients.\n4. Change the state of the new CA to `ENABLED`. This ensures that certificates can be issued from both the old and the new CA. For information about enabling certificate authorities, see [Enable a CA](/certificate-authority-service/docs/managing-ca-state#enable).\n\n | **Note:** To ensure that the new certificates aren't causing outages, you can now choose to wait and monitor your environment.\n5. Change the state of the old CA to `DISABLED`. This ensures that certificates won't be issued by the old CA. For information about disabling certificate authorities, see [Disable a CA](/certificate-authority-service/docs/managing-ca-state#disable).\n\n | **Note:** CAs in the `DISABLED` state are still trusted by the clients and provided in the trust anchor for the CA pool.\n6. Wait until all clients have stopped using the certificates issued from the old CA. You can ensure that in two ways:\n\n - You can wait for the maximum certificate lifetime.\n - You can monitor the certificates being used by your clients.\n7. Delete the old CA. For more information about deleting a CA, see [Delete certificate authorities](/certificate-authority-service/docs/deleting-certificate-authorities).\n\nWhat's next\n-----------\n\n- Learn more about [CA states](/certificate-authority-service/docs/certificate-authority-states).\n- Learn how to [manage CA states](/certificate-authority-service/docs/managing-ca-state).\n- Learn how to [update CAs](/certificate-authority-service/docs/updating-certificate-authorities)."]]
