Rotate expired certificates

We recommend that you define a consistent TTL for every certificate in your infrastructure and automatically rotate your certificates prior to their expiration. When implementing automatic certificate rotation, set up your alerting solution to notify you before your certificates are invalid in case services or infrastructure fails to reload the new certificate. You can apply the process of handling an expired certificate to other situations, such as revoking a certificate outside of your usual rotation cycle. If a certificate is compromised, a private key is leaked, or other security incidents, having a solution to quickly revoke the certificate and issue a new one can help lessen downtime and increase security.

HashiCorp Vault can manage, issue, rotate, and revoke certificates throughout your infrastructure. You can also use the Vault Agent to automatically make requests on behalf of the client application. This means once you reissue a certificate, the Vault Agent automatically makes it available to your application. You can use Vault Agent's reload capability to restart the service to use the new certificates or build the reload into the application.

You can use the Vault Agent to supervise a specific process and take actions related to that process. For example, if you use the Vault Agent with MongoDB, the agent can restart the service or send a signal to the process to reload the configuration after it obtains a new TLS certificate.

HashiCorp resources:

• Build your own certificate authority (CA)
• X.509 certificate management with Vault
• Vault Agent and Vault Proxy quickstart
• Vault Agent's Process Supervisor mode
• Vault Agent - secrets as environment variables tutorial
• Monitor Vault telemetry & audit devices

Next steps

In this section of Security and compliance, you learned about rotating expired certificates. Rotate expired certificates is part of the Secure systems pillar.