Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Proposal: Automatically rotate verification certificate signing keys #1567

Closed
mikehelmick opened this issue Jan 12, 2021 · 2 comments · Fixed by #1614
Closed

Proposal: Automatically rotate verification certificate signing keys #1567

mikehelmick opened this issue Jan 12, 2021 · 2 comments · Fixed by #1614
Assignees
@mikehelmick
Labels
kind/enhancement New feature or feature request.

Comments

@mikehelmick
Copy link
Contributor

TL;DR

Automatically rotate verification certificate signing keys

Design

Proposal

  1. Realm opt in to auto rotate keys ever 30 days (they can still do it manually)

    • Big warning that your key server should be using JWKS import

  2. New periodic background job to rotate keys

    • 30 days after last key was created - create a new key
    • 12 hours later - make that new key active
    • 1 hour later - revoke the old key
@mikehelmick mikehelmick added the kind/enhancement New feature or feature request. label Jan 12, 2021
@mikehelmick mikehelmick added this to the v0.21.0 milestone Jan 12, 2021
@mikehelmick
Copy link
Contributor Author

/assign

@mikehelmick mikehelmick reopened this Jan 14, 2021
@mikehelmick mikehelmick mentioned this issue Jan 14, 2021
Merged
@mikehelmick
Copy link
Contributor Author

mikehelmick commented Jan 14, 2021
edited
Loading

  • add db columns
  • add UI to enable disable / flag controlled
  • add background rotation
  • add terraform for scheduling
  • enable auto rotation by default (v0.21.0 or later)

@mikehelmick mikehelmick mentioned this issue Jan 16, 2021
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mikehelmick mikehelmick

Labels
kind/enhancement New feature or feature request.
Projects
None yet
Milestone
No milestone
1 participant
@mikehelmick