The Consul root CA is generated using the consul tls ca create command. If created with the original options the root CA is only valid for a few years. After running production for a while you inevitably need to extend this certificate. To do so we need to generate and sign a new certificate using the existing private key. Consul does not provide any commands for doing so but it can be done using OpenSSL.

First, create a CSR from the existing Consul CA certificate.

openssl x509 -x509toreq -in consul-agent-ca.pem -signkey consul-agent-ca-key.pem -out renewedca.csr

Next, we need to create an OpenSSL config file for generating the new certificate. Read the existing CA certificate with openssl x509 -in consul-agent-ca.pem -noout -text. Fill in the OpenSSL config file with the field values from the existing certificate.

distinguished_name = req_distinguished_name
prompt = no
C = US
L = San Francisco
O = HashiCorp Inc.
OU = HashiCorp Inc.
CN = CN=Consul Agent CA 340255540300806611266427072427762750721
basicConstraints = critical, CA:true
keyUsage = digitalSignature, cRLSign, keyCertSign
authorityKeyIdentifier = keyid:61:39:3A:36:33:3A:30:31:3A:34:61:3A:32:65:3A:66:30:3A:33:61:3A:64:32:3A:66:31:3A:33:33:3A:65:39:3A:61:62:3A:61:64:3A:65:63:3A:31:37:3A:33:65:3A:39:36:3A:63:34:3A:61:30:3A:37:37:3A:36:61:3A:64:33:3A:64:63:3A:31:66:3A:33:36:3A:35:33:3A:30:38:3A:65:34:3A:38:64:3A:63:66:3A:37:66:3A:39:32

Now we can generate a new certificate from the CSR.

openssl x509 -req -days 3652 -in renewedca.csr -signkey consul-agent-ca-key.pem -out consul-agent-ca-new.pem -extfile ./renewedca.conf -extensions v3_ca

Finally, verify a previously issued client or server cert against the new CA certificate.

openssl verify -CAfile consul-agent-ca.pem -verbose server-consul-0.pem
server-consul-0.pem: OK

If the certificate successfully verifies then we can deploy the new certificate to servers and agents.