0

We are using mTLS for our backend services authentication and the root certificate is set to expire in 2022. Here are the expiration details for all certificates:

  • The root certificate will expire in 2022
  • The intermediate certificates will expire in 2031
  • The leaf certificates will expire in 2023

I do not know why the root certificate was set to expire before all the others and I would like to avoid updating all the certificates in a few months if it is possible. Based on our tests, everything will still work after the root certificate expiration as long as the intermediate and the leaf certificates are still valid. We did the following tests to validate:

  • We updated the certificates in a test environment and set the root certificate to expire in one hour
  • Everything was working normally after one hour
  • We did another test with the intermediate certificates, making them expire in one hour
  • After one hour we started receiving authentication errors

Could someone confirm if our tests are sufficient to validate that the root certificate expiration shouldn't cause problems?

Thanks for any insight you can provide!

### Additional Information ###

We use mTLS authentication between our internal services:

  • Hashicorp Consul, Nomad and Vault
  • MongoDB
  • A few other services

On these instances, we can find the intermediate and leaf certificates but not the root.

If I validate the intermediate certificate, I can see that its expiration is in 1 year even though the root certificate has already expired.

I tested these certificates using Terraform to create 3 Consul servers in a new environment. The test certificates have been installed on each instance and the root certificate expiration is not causing any issues

StefB
  • 1
  • 1
  • It's unlikely that you've sufficiently tested this. I definitely wouldn't continue without much further testing. However, your question is quite vague and doesn't give away much. What tests have you carried out exactly? What is the relying-party in this scenario? Did you remember to install the new, short-lived root CA as the trust-anchor in the relying-party before testing? – garethTheRed Nov 10 '21 at 20:05
  • @garethTheRed Thanks for your input. I added a few more details at the end of the description. Regarding the root certificate expiration that is not causing any issues, could it be that this is because the assumption is that the root certificate *should* expire before the intermediate and leaves? Also if I understand correctly, in a worst case scenario I could generate a new root certificate using the same private key and the intermediate and leaves would still work until their own expiration, correct? – StefB Nov 12 '21 at 20:21
  • Yes, if you use the same key _and_ the exact same Subject, you can replace your expired root certificate with this new one. That's probably your safest option. You say that you validate, but you don't explain how. What tool are you using to validate? Also see @dave_thompson_085 [comments below](https://serverfault.com/questions/1083180/backend-services-root-certificate-expiration?noredirect=1#comment1414293_1083221). – garethTheRed Nov 13 '21 at 08:08
  • To test I deployed a cluster of 3 Consul instances that are using mTLS to communicate. As previously stated I do not see any error if I make the root certificate expires but if I make the intermediate certificate expires I am getting errors right away. I do not think that the root certificate is used at all in that scenario and I will have to validate all other internal services. I will plan on updating our root certificate to make sure that we won't face issues when the current root will expire. Thanks for your help! – StefB Nov 16 '21 at 00:49

1 Answers1

0

RFC 5280 compliant certificate validation function require that all certificates in the chain (including root certificate) MUST be within their validity periods at the time of validation. That is, proper certificate validation function will fail to validate your certificate chain after root is expired (in 2022).

RFC 5280 §6.1.3.a.3:

The certificate validity period includes the current time.

and this applies to every certificate in the chain. If you find that leaf certificate is successfully validated against expired root, then either:

  1. there is a cross-certificate which redirects you to another root
  2. certificate validation function is misconfigured and ignore certain validation errors.
Crypt32
  • 6,414
  • 1
  • 13
  • 32
  • 1
    5280 doesn't require it; 6.1.3 applies to 'certificate i for i in 1..n' as defined in 6.1 which EXCLUDES the trust anchor (i.e. root) -- which need not be a cert at all, and may not _have_ a validityPeriod. Note (b) on page 73, and more explicitly the second-to-last paragraph on page 73. **Most** implementations do use certs for anchors, and TTBOMK do check validity, but a notable exception is that LetsEncrypt is continuing to use an optional path to the DST X3 root which expired Sept 30 because old unupdatable Android phones still trust it but _don't_ trust the (newer) ISRG X1 root. – dave_thompson_085 Nov 13 '21 at 01:15
  • Let's encrypt solved their issue using cross-certificates. Otherwise, the web would be broken. This means that at least one non-expired root must present in all possible chains. – Crypt32 Nov 15 '21 at 12:06
  • It is certainly not necessary for all chains to be valid; ITYM there must be _a_ chain to an unexpired root. But that's not true for Android, as explained at https://letsencrypt.org/2020/12/21/extending-android-compatibility.html . (Actually it's not true for Java more generally, but unlike Android embedded on devices by vendors that drop support, Java on computer systems can usually be updated and doesn't need this hack.) – dave_thompson_085 Nov 16 '21 at 19:29