In Kubernetes using cert-manager, I have a self-signed CA certificate to sign certificates for specific services. These services are configured to verify the TLS certificates of one another using this CA certificate.
I'm looking to perform a rotation of the self-signed CA certificate with generating a new private key (recommended behavior). The challenge I'm facing is that when the CA is rotated with a new private key, the existing service certificates will no longer be valid against the new CA.
To address this, I believe I need a temporary period during which both the old and new CA certificates are valid (if I understand correctly, the minimum overlap duration should be the validity period of the service certificates) as in image:
So (according to the example in the picture) the 3rd certificate will be signed by the old CA, but it will be valid until the end of old CA validity, and the 4th certificate will already be signed by the new CA.
Is there a way to achieve this using cert-manager?