What happens/what's the procedure when a certificate expires?

[2bam]

First of all thank you for this setup, it solves the exact problem I have.

It's just that I'm really unfamiliar with this technology and would like to know, and I think would also be a great addition to the README, what happens and what's the procedure when each of the certificates expire.

I'm using this for NAS encryption. I understand the shortest certificates (client/server) last 3 years, and the CA one (besides a typo in the config's number) meant to last 10. I intend to keep my system working longer than that and wouldn't want to have a surprise 3 years in where I can no longer access my data.

• Can they be reissued somehow?
• Is the reissue already automatic?
• Are the recovery keys the only way to resuscitate the decryption?

Thank you.

[rnurgaliyev]

You can recreate client or server certificates when it they expire, it is very simple, just delete client.crt or server.crt from certs directory and restart the container. You don't need to re-init DSM encryption vault for that. If you recreated client certificate, you will need to update it in DSM. If your CA expires, you may delete everything from certs, restart the container, it will recreate all certificates including CA, and your vault data should still be accessible, as long as state is intact. Don't forget to update CA and client certificate in DSM.

Just follow these basic rules:

1. Rotate your certificates before they expire, not after
2. Backup everything before regeneration of anything, this way you can always roll back if something didn't go as planned
3. Your main recovery option is recovery keys which you suppose to keep in safe place. You can always start from scratch even if this whole setup gets broken and no certificates can be used anymore, or the database is damaged. Wipe everything from state and certs, restart the container, disable and re-enable remote KMIP in DSM, and you will have fresh setup in 10 minutes.

[2bam]

Thank you for your quick response!

I need to bother you with two follow up questions, I hope you don't mind.

• Is there a way via command line tool to check the expiration date of a certificate?
  That way I can issue a warning when booting up the kmip service, like a month before it expires to make rotation easier.

• Would it be too risky to just set expiration dates to 100 years?
  If the system is compromised I don't think I'll even notice it, being 1y or 100y. And if I do notice, I understand would be the same procedure to rotate the keys (My use case is just to keep the keys separate from the device in case of physical theft).

Thanks again for sharing your knowledge.