#93 implemented implicit CA rotation when the CA certificate is about to expire, but it would be useful to have a way to initiate it manually (such as for #465).
One way to do this would be to add an annotation to the CA Secret that overrides the certificates' notBefore (expiration) time for renewal purposes. This way, you could request "replace this CA in a week", causing a new CA to be provisioned immediately, and provisioning using the old one to stop after about a week (still leaving a clean migration window, though shortened compared to the regular one).
#93 implemented implicit CA rotation when the CA certificate is about to expire, but it would be useful to have a way to initiate it manually (such as for #465).
One way to do this would be to add an annotation to the CA Secret that overrides the certificates'
notBefore(expiration) time for renewal purposes. This way, you could request "replace this CA in a week", causing a new CA to be provisioned immediately, and provisioning using the old one to stop after about a week (still leaving a clean migration window, though shortened compared to the regular one).