PrivX Authorizer CA Key Rotation

Each access group is associated with a distinct authorizer CA key and a certificate used during authentication to target hosts. The CA key and certificate must be renewed before the certificate expires, or they need to rotated regularly per company policies.

The rotation process involves the following steps:

  • Create a new CA key in Administration→Access Groups→CA Key Details by choosing Renew CA Key
  • Update the CA public key or certificate on all target hosts belonging to that access group (more on this below)
  • Select the new CA key as the Primary CA Key in the Access Groups view
  • Remove the old CA key once it is no longer used by any hosts

Target hosts using stored credentials for authentication are unaffected by CA key rotation.

CA Key Rotation for SSH Hosts

SSH hosts that are configured to accept OpenSSH certificate authentication store the CA public key in /etc/ssh/

The easiest method for updating SSH hosts is to run the deployment script with the --rotate-ca option. This will retrieve the new CA public key from PrivX. Note that this will always prefer the CA whose certificate has the furthest expiration date, regardless if it's set as primary or not. If you need to update to a key with a shorter validity period, you must manually replace the key.

PrivX SSH bastion and SSH proxy will attempt authentication using certificates issued by all access group's CA keys, but prioritizing the primary CA key. Thus, SSH targets will continue to be reachable during the migration period regardless of which CA key is currently trusted by the host.

Lowering the OpenSSH server configuration option MaxAuthTries from its default value of 6 may cause OpenSSH hosts to become unreachable.

CA public keys are listed in the Access Groups view.

Certificate Rotation for RDP Hosts

Windows hosts that are configured to accept RDP certificate authentication need to import and publish the new PrivX CA certificate on the domain. Follow the instructions in RDP Certificate Authentication on how to accomplish this.

Once the new certificate has been published, change the primary CA key in PrivX to the new one. When you have confirmed that the new key works, the old key can be removed in PrivX.

X.509 Certificate Rotation for Tectia SSH Server

Replace the previous PrivX certificate with the newly created one and ensure that any configured certificate rules match the new certificate. Run ssh-server-ctl reload to apply the new certificate.

Was this page helpful?