Certificate Trust

Rotating root certificates requires maintaining trust between existing client certificates and Grid routers. If HTTPS certificates are replaced at the same time as we rotate the root, the older but still valid client certificates may refuse communication with the Grid, making them invalid.

When Grid generates a client certificate keystore, it includes trust material for all valid root certificates, including both active and rotated ones.

To maintain trust with older client certificates during root certificate rotation, Grid will delay using the new root certificate to issue HTTPS certificates until one year has passed and all client certificates generated by the old root have expired. If the old rotated root is revoked, HTTPS certificates will be issued by the current root even before the one-year period expires.