Change the certificate validity period

Change the certificate validity period

You can change a certificate validity period by managing the validity period of the signing policy, which is used for certificates generation and is set to 365 days by default.


The procedure does not update the CA certificates and does not change the signing policy itself.

To change the certificate validity period:

  1. Log in to the Salt Master node.

  2. In classes/cluster/<cluster_name>/infra/config/init.yml, specify the following pillar:

        salt_minion_ca_days_valid_certificate: <required_value>
  3. Apply the changes:

    salt '*' saltutil.sync_all
    salt -C 'I@salt:master' state.sls
    salt -C 'I@salt:master' state.sls salt.minion
  4. Remove the certificate you need to update.

  5. Apply the following state:

    salt -C '<target_node>' state.sls salt.minion.cert
  6. Verify the end date of the updated certificate:

    salt -C <taget_node> 'openssl x509 -enddate -noout -in <path_to_cert>'