Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What happens/what's the procedure when a certificate expires? #25

Open
2bam opened this issue Feb 14, 2025 · 2 comments
Open

What happens/what's the procedure when a certificate expires? #25

2bam opened this issue Feb 14, 2025 · 2 comments

Comments

@2bam
Copy link

2bam commented Feb 14, 2025

First of all thank you for this setup, it solves the exact problem I have.

It's just that I'm really unfamiliar with this technology and would like to know, and I think would also be a great addition to the README, what happens and what's the procedure when each of the certificates expire.

I'm using this for NAS encryption. I understand the shortest certificates (client/server) last 3 years, and the CA one (besides a typo in the config's number) meant to last 10. I intend to keep my system working longer than that and wouldn't want to have a surprise 3 years in where I can no longer access my data.

  • Can they be reissued somehow?
  • Is the reissue already automatic?
  • Are the recovery keys the only way to resuscitate the decryption?

Thank you.

@rnurgaliyev
Copy link
Owner

You can recreate client or server certificates when it they expire, it is very simple, just delete client.crt or server.crt from certs directory and restart the container. You don't need to re-init DSM encryption vault for that. If you recreated client certificate, you will need to update it in DSM. If your CA expires, you may delete everything from certs, restart the container, it will recreate all certificates including CA, and your vault data should still be accessible, as long as state is intact. Don't forget to update CA and client certificate in DSM.

Just follow these basic rules:

  1. Rotate your certificates before they expire, not after
  2. Backup everything before regeneration of anything, this way you can always roll back if something didn't go as planned
  3. Your main recovery option is recovery keys which you suppose to keep in safe place. You can always start from scratch even if this whole setup gets broken and no certificates can be used anymore, or the database is damaged. Wipe everything from state and certs, restart the container, disable and re-enable remote KMIP in DSM, and you will have fresh setup in 10 minutes.

@2bam
Copy link
Author

2bam commented Feb 14, 2025

Thank you for your quick response!

I need to bother you with two follow up questions, I hope you don't mind.

  • Is there a way via command line tool to check the expiration date of a certificate?
    That way I can issue a warning when booting up the kmip service, like a month before it expires to make rotation easier.

  • Would it be too risky to just set expiration dates to 100 years?
    If the system is compromised I don't think I'll even notice it, being 1y or 100y. And if I do notice, I understand would be the same procedure to rotate the keys (My use case is just to keep the keys separate from the device in case of physical theft).

Thanks again for sharing your knowledge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants