Reputation: 426
Periodically change SSL certificate at runtime
I am building an internal PKI for our microservices. The way it works right now is
There's an Offline Root CA and online Issuing CA
on start up a microservice
- generates a keypair , a csr and keystore
- loads the CA certificate into it's truststore
- sends a request to Issuing CA to sign the certificate
- gets new certificate and stores it
What we envision is to create a short lived (say 24 hours or less in validity) certificate for each microservice and when it is about to or when it expires the microservice should generate a new CSR and get it signed and continue working as usual. Is this possible and what are the challenges to be faced if were to go in this direction ?
Upvotes: 3
Views: 940
Answers (1)
Reputation: 39271
Leaving aside why you need such a low refresh time for an internal network, your architecture is viable
To consider:
The issuing CA must be online and should process the CSR and return a valid certificate during the startup of the microservice and have a reasonably short response time
The public certificate of the Offline Root CA should be included previously in the trustsore of each microservice. I would recommend to include it programmaticaly to avoid security risks
Check if your SSL server is hot-swappable and the certificate can be updated during start-up or they must be done before the microservice starts (not all servers support it)
Note that you will not be able to use SSL-pinning
SSL pinning is implemented adding the server certificate to the truststore instead of the issuing CA to avoid that other certificate of the same CA is accepted
The certificate is usually installed manually an offline in the client truststore but in your case you have to distribute each certificate to the clients that are going to use the microservice. The solution is unpractical due to you have to.securize the channel, distribute them to each client, install them and ensure all steps are synchronized.
Do not forget also that the old certificates must be deleted from truststore because if they are present, they still would be accepted by clients
Upvotes: 2
Related Questions
- How to make tomcat to pick new certificates without restarting it
- Replace certificates in a running java application
- Java: Alternative to Certificate updates to Cacerts file every year
- How to add a certificate as trusted to the current JVM instance programmatically
- How to manage certificate renewal with Java Webstart application
- Update Java code signing cert post deployment
- Updating certificates in tomcat
- Automatically run java applications with trusted certificates
- Java webservice client, change client certificate dynamically
- Procedure to renew SSL certificate for custom java web server