Skip to content

IronRoot

PKI Concepts

IronRoot

Getting Started
Getting Started
Architecture
Architecture
- System Model
  System Model
- PKI Model
  PKI Model
- Platform Components
  Platform Components
- Reference
  Reference
Installation
Installation
- Install Methods
  Install Methods
- Configure
  Configure
  - Configuration
  - Local Development
- Runtime TLS
  Runtime TLS
  - Podman TLS Usage
- Lifecycle
  Lifecycle
  - Upgrades
  - Uninstall
Security
Security
- Bootstrap And Checks
  Bootstrap And Checks
  - Bootstrap Guide
  - Security Check
- Trust And CA Handling
  Trust And CA Handling
- Hardening
  Hardening
- Resilience
  Resilience
Observability
Observability
- Signals
  Signals
  - Traces
  - Metrics
  - Logs
- OpenTelemetry Stack
  OpenTelemetry Stack
  - OpenTelemetry
  - Collector
  - Prometheus
  - Tempo
  - Loki
  - Grafana
- Operations
  Operations
- Deployment Integrations
  Deployment Integrations
  - Kubernetes
  - Podman
  - Binary
Kubernetes
Kubernetes
- Deploy
  Deploy
  - Helm Installation
  - Values Reference
- Operate
  Operate
Airgap
Airgap
- Overview
- Offline Trust
  Offline Trust
- Artifact Movement
  Artifact Movement
- Operations
  Operations
  - Airgap Upgrades
  - Airgap Recovery
Operations
Operations
- Certificate Operations
  Certificate Operations
- Recovery
  Recovery
- Runbooks
  Runbooks
API & CLI
API & CLI
- API
  API
- CLI
  CLI
- Configuration
  Configuration
  - Configuration Reference
  - Environment Variables
Contributing
Contributing
- Start Here
  Start Here
  - Local Development
    Local Development
    
    Overview
    
    Up And Running
    
    Multi-Root CA Development
    
    RBAC Development
    
    Testing And Verification
    
    Troubleshooting
  - Platform Setup
- Contributor Workflow
  Contributor Workflow
- Specialized Development
  Specialized Development
  - Helm Development
  - OpenTelemetry Development
- Releases And Roadmap
  Releases And Roadmap
- Project Community
  Project Community

PKI Concepts¶

Stage: Alpha Status: Draft

Offline Root CA¶

The Root CA is the long-lived trust anchor. IronRoot recommends a 20 year Root CA lifetime and keeping the root private key offline.

Online Intermediate CA¶

The Intermediate CA is online and signs workload CSRs. IronRoot recommends a 5 year Intermediate CA lifetime.

Issued certificates¶

Server and workload certificates default to 90 days. Renewal is supported before expiry, with a default renewal window of 30 days.

Private keys¶

Clients generate private keys locally. IronRoot servers sign CSRs and must not generate normal client or server private keys.