Skip to content

feat: root CA key cross-signed rollover (post-v1.0.0) #161

Description

@Bugs5382

Follow-up to the CA-hardening rotation work (2d v1 shipped subordinate re-key only). Build seamless ROOT key rollover via cross-signing: the old root cross-signs the new root's key so existing subordinate chains keep validating during the transition, plus dual-anchor trust distribution (relying parties trust both old and new root until the old expires/is retired). This is a large, distinct design (chain continuity, cross-cert issuance, trust rollover) and roots rotate rarely.

SCHEDULING: deferred to after a proven v1.0.0 / GOLD (Shane, 2026-07-06). Not part of the pre-GOLD hardening pass.

Metadata

Metadata

Assignees

Labels

enhancementNew feature (feat). Minor version bump.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions