Overview

This document describes Intermediate CA rotation in a scenario where the Root CA was imported and is not managed by Smallstep.

In a two-tiered PKI, intermediate CA rotation is intended to be a seamless process that, in most cases, does not require any changes on endpoints or servers.

The basic steps are as follows:

1. Reach out to Smallstep and tell us the CA URL of the Intermediate you need to rotate.
2. We will generate a CSR for you to sign with your root.
3. (optional, if hand-rotation is needed) Add the new intermediate as an additional CA to any trust configurations requiring hand-rotation. Do not remove the old intermediate CA yet, because clients are still using it.
4. Send the new signed Intermediate CA certificate back to us. We’ll replace your previous intermediate, and your CA will start issuing new certificates from your new intermediate.
5. (optional, if hand-rotation is needed) Ensure all previously-issued client certificates are renewed before removing the old intermediate CA from your hand-rotated trust bundles.

When and why hand-rotation is needed

For most clients and use cases, the issuing Intermediate CA certificate and the leaf certificate are issued and stored together in a PEM bundle that is never split. This makes rotation seamless, because a new intermediate will replace the old one upon the next leaf certificate renewal. Because the issuing intermediate always lives alongside the leaf certificate, the full certificate chain continues to be valid.

However, there are exceptions. A good example is YubiKey PIV and PKCS#11 Smart Card certificates. In most cases, a YubiKey can only store the leaf certificate, because only one certificate is allowed per key slot. In this case, the server must trust the intermediate CA in order to complete the trust chain. Therefore, you must hand-rotate the intermediate on the server for client connections to continue working properly.