CA Rotation Management

This section outlines the features for managing the rotation of Certificate Authorities, a critical security practice to maintain the integrity and trustworthiness of the PKI over time.

Key Functionalities

CA Rotation Overview

• Endpoint: /ca-rotation
• Description: Provides a centralized view of all Certificate Authorities, displaying their current rotation status, whether they are due for rotation (needsRotation()), and the urgency of such rotation (getRotationUrgency()). This indicates a proactive monitoring system for CA health.

Rotation Recommendations

• Endpoint: /ca-rotation/recommendations
• Description: Presents specific recommendations for CA rotation, likely based on predefined organizational policies, cryptographic best practices, or detected vulnerabilities.

Detailed Rotation Status

• Endpoint: /ca-rotation/{ca}/status
• Description: Displays a detailed rotation status report for a specific CA, including the results of prerequisite validations. This helps administrators understand the current state and any blockers for rotation.

Validate Rotation Prerequisites

• Endpoint: /ca-rotation/{ca}/validate-prerequisites
• Description: Explicitly checks and lists all unmet prerequisites that must be resolved before a CA can be rotated. Rotation cannot proceed if any prerequisites are outstanding.

CA Rotation Form

• Endpoint: /ca-rotation/{ca}/rotate
• Description: Provides a user interface to initiate the CA rotation process. If prerequisites are not met, the user is redirected to the validation page with an error.
• Default Configuration for New CA: The form pre-fills with sensible defaults for the new CA, such as:
  • validity_days: 3650 days (10 years)
  • key_size: 4096 bits
  • hash_algorithm: sha256
  • enable_cross_signing: true (enabled by default)
  • cross_sign_validity_days: 90 days

Perform CA Rotation

• Endpoint: POST /ca-rotation/{ca}/perform-rotation
• Description: Executes the CA rotation process, creating a new CA to replace the old one.
• Input Validation: Requires the following parameters:
  • validity_days: Integer, between 365 and 7300 days (1 to 20 years).
  • key_size: Integer, one of 2048, 3072, 4096.
  • hash_algorithm: String, one of sha256, sha384, sha512.
  • enable_cross_signing: Boolean, to enable or disable cross-signing.
  • cross_sign_validity_days: Integer, between 30 and 365 days, if cross-signing is enabled.
  • confirm_rotation: Required and must be accepted by the user.
• Cross-Signing: The system supports cross-signing the old CA with the newly generated CA. This is a critical feature for maintaining trust and ensuring a smooth transition for certificates issued by the old CA during the rotation period.
• Outcome: Upon successful rotation, the user is redirected to the status page of the newly created CA.

Certificate Migration Plan

• Endpoint: /ca-rotation/{oldCA}/{newCA}/migration-plan
• Description: Generates and displays a plan for migrating existing certificates from the oldCA to the newCA after a rotation. This ensures that services relying on certificates issued by the old CA can transition to the new CA without disruption.

Inferred Specifications

• Proactive Monitoring: The system includes mechanisms to monitor CA validity and proactively identify CAs that require rotation, providing recommendations and urgency indicators.
• Controlled Rotation Process: CA rotation is a highly controlled process, enforced by strict prerequisite checks that must be satisfied before rotation can commence.
• Configurable New CA Attributes: During rotation, administrators can configure key cryptographic attributes of the new CA, including its validity period, key size, and hash algorithm.
• Graceful Trust Transition with Cross-Signing: The support for cross-signing the old CA with the new one for a defined period is crucial for a graceful transition of trust, allowing clients to validate certificates issued by both the old and new CAs during the transition phase.
• Certificate Continuity: The provision of a certificate migration plan ensures that the continuity of services relying on issued certificates is maintained post-rotation.
• Supported Key Sizes for Rotation: 2048, 3072, 4096 bits.
• Supported Hash Algorithms for Rotation: sha256, sha384, sha512.
• New CA Validity Range: From 1 year (365 days) to 20 years (7300 days).
• Cross-Sign Validity Range: From 30 days to 365 days.
• Auditability: Given the critical nature of CA rotation, it is highly probable that all rotation-related actions are thoroughly logged for audit purposes (though not explicitly shown in this controller, it's implied by the use of CARotationService and the overall system's audit logging).