Proposal: Automatically rotate verification certificate signing keys
mikehelmick opened this issue · comments
Mike Helmick commented
TL;DR
Automatically rotate verification certificate signing keys
Design
Proposal
-
Realm opt in to auto rotate keys ever 30 days (they can still do it manually)
- Big warning that your key server should be using JWKS import
-
New periodic background job to rotate keys
- 30 days after last key was created - create a new key
- 12 hours later - make that new key active
- 1 hour later - revoke the old key
Mike Helmick commented
/assign
Mike Helmick commented
- add db columns
- add UI to enable disable / flag controlled
- add background rotation
- add terraform for scheduling
- enable auto rotation by default (v0.21.0 or later)