Stay organized with collectionsSave and categorize content based on your preferences.
Managing CA rotation
This page explains how you can manage the rotation of a CA in a CA pool. For more
information about CA pools, seeOverview of CA pools.
Ensure seamless CA rotation
Ensuring seamless CA rotation is essential to avoid service downtime, or to deal with an emergency. The following procedure explains how you can seamlessly rotate a CA.
Find the CA pool for the existing CA that is due to expire.
Create a CA in the same CA pool.
The CA is created in theSTAGEDstate and cannot issue certificates through CA pool load-balancing. CAs in theSTAGEDstate can only issue certificates when requested directly by the clients. For more information about CA states, seeCA states.
Ensure that all clients have downloaded the latest set of CA certificates from the CA pool.
Change the state of the new CA toENABLED. This ensures that certificates can be issued from both the old and the new CA. For information about enabling certificate authorities, seeEnable a CA.
Change the state of the old CA toDISABLED. This ensures that certificates won't be issued by the old CA. For information about disabling certificate authorities, seeDisable a CA.
Wait until all clients have stopped using the certificates issued from the old CA. You can ensure that in two ways:
You can wait for the maximum certificate lifetime.
You can monitor the certificates being used by your clients.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-12-15 UTC."],[],[]]
