|
11 | 11 | . Short-lived certificates having certificate validity of one year. |
12 | 12 | . Long-lived certificates having certificate validity of 10 years. |
13 | 13 |
|
14 | | -Most server or leaf certificates are short-lived. |
| 14 | +Most server or leaf certificates are short-term. |
15 | 15 |
|
16 | 16 | An example of a long-lived certificate is the client certificate for `system:admin user` authentication, or the certificate of the signer of the `kube-apiserver` external serving certificate. |
17 | 17 |
|
18 | 18 | [id="microshift-certificate-rotation_{context}"] |
19 | 19 | == Certificate rotation |
20 | | -As certificates age, {product-title} can be restarted to rotate certificates. A certificate that is close to expiring might also automatically cause a restart. Read the following situation overviews to understand the actions at each moment in time: |
21 | | - |
22 | | -. Green zone: |
23 | | -.. When a short-term certificate is 5 months old, no rotation occurs. |
24 | | -.. When a long-term certificate is 8.5 years old, no rotation occurs. |
25 | | - |
26 | | -. Yellow zone: |
27 | | -.. When a short-term certificate is 8 months old, it is rotated when {product-title} starts or restarts. |
28 | | -.. When a long-term certificate is 9 years old, it is rotated when {product-title} starts or restarts. |
29 | | - |
30 | | -. Red zone |
31 | | -.. When a short-term certificate is 8 months old, {product-title} restarts to rotate and apply a new certificate. |
32 | | -.. When a long-term certificate is 9 years old, {product-title} restarts to rotate and apply a new certificate. |
| 20 | +Certificates that are expired or close to their expiration dates need to be rotated to ensure continued {product-title} operation. When {product-title} restarts for any reason, certificates that are close to expiring are rotated. A certificate that is set to expire imminently, or has expired, can cause an automatic {product-title} restart to perform a rotation. |
33 | 21 |
|
34 | 22 | [NOTE] |
35 | 23 | ==== |
36 | 24 | If the rotated certificate is a Certificate Authority, all of the certificates it signed rotate. |
37 | 25 | ==== |
38 | 26 |
|
39 | | -.Stoplight timeline of {product-title} certificate validity. |
40 | | -image::microshift-cert-rotation.png[<{product-title} graph with symbolic green-yellow-red stoplight map of certificates>] |
| 27 | +[id="microshift-st-certificate-rotation_{context}"] |
| 28 | +=== Short-term certificates |
| 29 | +The following situations describe {product-title} actions during short-term certificate lifetimes: |
| 30 | + |
| 31 | +. No rotation: |
| 32 | +.. When a short-term certificate is up to 5 months old, no rotation occurs. |
| 33 | + |
| 34 | +. Rotation at restart: |
| 35 | +.. When a short-term certificate is 5 to 8 months old, it is rotated when {product-title} starts or restarts. |
| 36 | + |
| 37 | +. Automatic restart for rotation: |
| 38 | +.. When a short-term certificate is more than 8 months old, {product-title} can automatically restart to rotate and apply a new certificate. |
| 39 | + |
| 40 | +[id="microshift-lt-certificate-rotation_{context}"] |
| 41 | +=== Long-term certificates |
| 42 | +The following situations describe {product-title} actions during long-term certificate lifetimes: |
| 43 | + |
| 44 | +. No rotation: |
| 45 | +.. When a long-term certificate is up to 8.5 years old, no rotation occurs. |
| 46 | + |
| 47 | +. Rotation at restart: |
| 48 | +.. When a long-term certificate is 8.5 to 9 years old, it is rotated when {product-title} starts or restarts. |
| 49 | + |
| 50 | +. Automatic restart for rotation: |
| 51 | +.. When a long-term certificate is more than 9 years old, {product-title} can automatically restart to rotate and apply a new certificate. |
0 commit comments