How to handle expiring root certificate (internal CA)

rpgillespie6 · September 11, 2024, 9:14pm

1. The problem I’m having:

I’m wondering what the procedure for updating a root certificate is for internal CA? For example, if I have:

example.internal {
  tls internal
  log {
    output file /var/log/caddy/caddy.log
  }

  reverse_proxy http://172.23.117.124:8080
}

Caddy generates a root.crt under pki/authorities/local/root.crt. If I then add this certificate to all the machines on the company intranet as a trusted CA root, then everyone can go to https://example.internal and browsers give the green lock icon, etc, everyone is happy.

However, I noticed root.crt is only good for 10 years. After 10 years, is everything going to break?

I checked here: Using Caddy to keep certificates renewed

But it wasn’t clear to me if the root certificate is also auto-renewed (and if so, if the auto-renewal would break everything).

What’s the recommended procedure for handling root certificate expiry?

2. Error messages and/or full log output:

n/a

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Linux, amd64, docker

b. Command:

docker-compose up

c. Service/unit/compose file:

services:
  caddy:
    container_name: caddy
    image: caddy:latest
    restart: unless-stopped
    ports:
      - "443:443"
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
    external: true
  caddy_config:

d. My complete Caddy config:

example.internal {
  tls internal
  log {
    output file /var/log/caddy/caddy.log
  }

  reverse_proxy http://172.23.117.124:8080
}

5. Links to relevant resources:

matt · September 11, 2024, 9:30pm

Good question; the root certificate isn’t automatically renewed (because it has to be installed in various places anyway). I’ve thought about a longer lifetime for them – and I could be convinced of it probably – I just figured 10 years was a reasonable space between operational “checkpoints”.

If you use the same key, assuming the algorithm is still secure, then the certs will all still be trusted, just plop in the new root cert.

Either this or I have until about 2029 to figure out something else.

rpgillespie6 · September 11, 2024, 9:52pm

Thanks for the reply. So would it be fair to say that as of September 2024, the best guidance is probably:

User is responsible for keeping track of when root.crt is about to expire
User is responsible for generating a new root.crt using openssl CLI (optionally using same key root.key)
User is responsible for dropping the new root.crt into pki/authorities/local and restart Caddy
User is responsible for pushing out new root.crt to trusted stores on machines on intranet

Did I miss anything?

matt · September 11, 2024, 10:38pm

Aye, that should do it.

Sorry if that’s annoying. I’m not sure “auto-renewing root certs” is well-studied or recommended at this point, so I haven’t gone there yet.

rpgillespie6 · September 11, 2024, 10:40pm

Nah, it’s not Caddy’s fault, just the nature of the beast with root certs. Any option for auto-renewing root cert would probably need to be opt-in because it could potentially break a lot of things otherwise.

Thanks!

system · October 11, 2024, 10:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.