Changing the signing certificate with key rollover
If you need to change the certificate that Access Management uses for signing tokens, we recommend you follow a key-rollover process.
About this task
Rather than completely replacing old signing certificates with new ones in one step, Access Management supports a key rollover process. With Access Management, this involves staged edits to the appsettings.json configuration file. The following are the essential steps, which are described in detail in the task that follows:
- First edit -- Add a new certificate first as a validation certificate.
- Wait for a period of time for clients to become aware of the certificate.
- Second edit -- Switch the new certificate from a validation certificate to the primary signing certificate, while making old one the validation certificate.
- Wait again until you are sure old certificates are no longer needed.
- Third edit -- Remove old certificate entirely when you are confident it is no longer needed.
Procedure
What to do next
After some time, when you are confident the outgoing certificate is no longer needed, you can remove it entirely from the configuration. We recommend that you maintain validation certificates as long as they are still needed for validating longer-lived tokens.