Find a solution and test it out when the CA certificate has expired how to get rid of it without causing service interruptions using EJBCA.

[syamimirfan]

Hi everyone,

I'm currently working with getting rid of CA certificate that has expired without causing service interruptions in EJBCA. I want to ask about

1. Could someone share the necessary steps or insights on how to solve it? Does it required to renew the CA or is there any automation renew for CA?

Thank you in advance for your assistance. Any guidance or pointers would be greatly appreciated!

[primetomas]

For Root CAs, while technically you can simply renew the existing Root CA using the same CA subject DN (with a button in EJBCA), the best practice today is to create a new Root CA with a difference subject DN. Setting up a new Root with a different subject DN makes it more clear, and less error prone when you distribute the new Root CA certificate, with no risk of any client/toolkit/human out there to mess up certificate chains.

For specific use cases, there is a functionality (Service) in EJBCA for automatic CA renewal, which is typically used for short lived Sub CAs though where the whole process can be automated, and not for Root CAs.

While technically the standards allow for many many options and way to do it, all of them are not to be recommended :-).
We have written a little bit about it here. https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/managing-cas/ca-rekey-recommendations

[syamimirfan]

Hi primetomas, thank you for reply my question. But can you give me the steps or insight on how to renew the CA immediately by using the service in System Functions ?

[primetomas]

The Service is not used for that. In the Admin UI go to Certification Authorities, select your CA and click "Edit". Scroll to the bottom of the page, there is a "CA Life Cycle" section with a Renew CA button.

[syamimirfan]

Understood, can I make it automatically renew? Btw, there is Renew CA Service for select worker in Services under System Functions. Can I apply it to renew the CA?

ejbca | 2024-01-11 02:20:21,276+0000 INFO [org.ejbca.core.ejb.services.ServiceSessionBean] (EJB default - 1) Service renewCA executed with the following result: Success. The following CAs were renewed by the Renew CA Worker: PKIRootCASecond-G1, PKISubCASecond-G1, rootCASecond

I tried it yesterday and this is my result. Is it possible? Thank you for reply my question sir :)