the procedure to rollover / extend expiration is outlined at https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates
we can change cassandra-ca-manager to issue CA certs with default expiration of 5yr and issue a new CA cert
The proposed solution to monitoring certificate expiration (https://gerrit.wikimedia.org/r/#/c/305633), acts remotely using the encrypted inter-node messaging port (7001), and so is testing the server certificate only. This still leaves open the question of monitoring the root CA for expiration.
It has already been suggested that we increase the root CA expiration from 1 year to 5. I wonder, is there much of a difference, security-wise, between 5 years and say 50 (where 50 years is arbitrary, something that for this purpose seems indefinite)? Should we just make the expiration long enough that we'll never have to worry about it expiring?
this is complete with a 50y CA in the restbase test cluster, production cluster to follow monday week
root@cerium:/etc/cassandra-a/tls# keytool -list -keystore server.key Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries cerium-a, Sep 8, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): EA:B9:2C:EB:1E:57:BA:1F:71:84:70:11:12:E6:62:BF:E8:B9:48:AA mykey, Sep 8, 2016, trustedCertEntry, Certificate fingerprint (SHA1): B6:97:AF:B9:94:C5:21:A0:C2:FE:82:DC:9B:64:06:AC:16:35:EF:7C