If I have a CA hierarchy and my CA is expiring. How would y’all handle the CA renewal process for it?

We've laid out a pretty flexible foundation for this first release of Infisical PKI. The API is fully exposed, so you'd be able to orchestrate your own CA renewal workflow as you wish.

You can't reissue the same CA with a new validity period yet but you can definitely issue new CA(s) as part of your CA succession — This does take some manual work to do at the moment but we do plan to introduce more automated renewal workflows soon involving automatic generation of CSRs to parent CAs, auto-approving + reissuing new certificates, etc.

Definitely be on the lookout for that! Happy to expand on some of these plans :)

What if I have an existing CA hierarchy in place already. Is this something I would be able to easily migrate to?

Not yet but we definitely have ideas for this coming up next on the roadmap.

The basic idea would be to allow you to create CAs with external/imported CA options which would assist with a migration.

For example, you would be able to "import" in a signed certificate (+chain) from an external parent CA when installing an intermediate CA in Infisical — As you'd expect, Infisical would generate a CSR for the CA to be signed by the parent CA externally.

Step-CA is much better