Rotation Can’t Be an Afterthought

Creating certificates once is easy.
Remembering to rotate them before they expire is the real work.

In my setup I have:

  • admin mTLS certs with short TTL,
  • Vault server certs with medium TTL,
  • possibly long-lived intermediates and root CAs.

If I rely on my memory, I will forget. So I want systemd timers to help me.

What I Want to Rotate Automatically

At minimum:

  • admin client certificates:
  • used by CLI and automation scripts,
  • very painful if they expire during mTLS enforcement.
  • Vault server certificates:
  • so I don’t get surprises with browsers or clients failing.

The root and intermediates stay manual and rare: I don’t want automation accidentally touching those keys.

Timer-Driven Approach

On the test environment, I want something like:

  • a vault-admin-rotate.service that:
  • calls a script,
  • uses a maintenance path if needed,
  • issues a fresh admin cert via pki-test,
  • updates VAULT_CLIENT_CERT/KEY locations.
  • a vault-admin-rotate.timer that runs e.g. weekly and checks:
  • if the current admin cert is close to expiry,
  • if yes → rotate,
  • if no → log and exit.

The same pattern can later be used for server and proxy certificates.