Skip to main content

Configuring certificate rollover

Preconditions

  • Have an OAuth 2.0 Authorization Server / OpenID Provider pattern, so the preconditions of Setting up an OAuth 2.0 Authorization Server also apply here.
  • The Key Stores involved in the certificate rollover must not be automatic (certificate rollover is not supported yet with automatic key management).
  • There must be an OpenID Connect JWKs Endpoint exposed by this Authorization Server, i.e., the setting REST Endpoints of the Authorization Server must include a pattern with a path in the setting Endpoint Path

Basis of the implementation

The certificate rollover support is implemented by using a setting Old Signer for the old key material that was used in the past for signing or encrypting and that may still be needed for managing old tokens. The current and future tokens are signed with the usual setting Signer.

The JWKS endpoint generated by the Authorization Server contains both public keys, from the old and new key material, so that the Relying Parties can work without problems during the transition time after the key material change.

Maintenance when the current key material is close to be expired

  1. Set the setting Old Signer of the Authorization Server to the current value of the setting Signer (a PEM Key Store pattern).
  2. If the setting Old Signer had a pattern before the change, remove that pattern.
  3. Set the setting Signer of the Authorization Server to a new PEM Key Store pattern that contains the new key material to be used.
  4. Redeploy the changes.