Planned Certificate Rollover

mweidner · February 17, 2020, 6:01pm

Hi all,

I have inherited some VPN using certificates that expire in a few weeks and want to do a smooth rollover to new certificates.
This includes the CA certificates.

When I’m interpreting https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx correctly, the way to do this is to generate a new CA certificate, sign the new CA certificate with the old one and the old CA certificate with the new one.
After that I would roll out the new CA certificates and new server and client certificates signed by the new CA one by one.
At the end I can remove the old certificates and keys.

There are a few questions left for me:

Is this feasible?
How would I do these steps exactly with MikroTik RouterOS?

Thanks for your help.

Kind regards,
Mathias

mweidner · February 19, 2020, 6:16pm

OK, so I tested this in a lab.
First I wasn’t able to cross sign the two CA certificates on the MikroTik where they were created, so I had to look for other ways.
What worked in the end was the following:

create the new CA, certs and keys aus outlined in the manual
copy and import the new certs and keys to all clients and servers
update the configuration to use the new certs and keys when all clients and servers have at least imported the new CA
remove the old CA, certs and keys when no client and no server uses them anymore

Regards,
Mathias