Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[QUERY] Key Vault cert auto-rotation timeline

See original GitHub issue

Query/Question I have a certificate in Key Vault with an auto-rotation policy. I want my application to reload the certificate from Key Vault when a newer version is available. I’m using the Azure.Security.KeyVault.Certificates package to create a CertificateClient and get the KeyVaultCertificateWithPolicy. I then calculate the auto-rotation time of this certificate as defined in the LifetimeActions of the CertificatePolicy. But this time is not always the exact time of auto-rotation in Key Vault. There will always be some margin of error.

Questions:

How do I calculate the exact time when the new version of certificate will be available in Key Vault?
Is there a time window between which the certificate is guaranteed to be rotated?

Note: I cannot use Event Grid notifications.

Environment:

Name and version of the Library package used: Azure.Security.KeyVault.Certificates v4.1.0
Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects):

dotnet --info
.NET SDK (reflecting any global.json):
Version:   5.0.201
Commit:    a09bd5c86c

Runtime Environment:
OS Name:     Windows
OS Version:  10.0.19042
OS Platform: Windows
RID:         win10-x64
Base Path:   C:\Program Files\dotnet\sdk\5.0.201\

Host (useful for support):
 Version: 5.0.4
 Commit:  f27d337295

.NET SDKs installed:
 3.0.103 [C:\Program Files\dotnet\sdk]
 3.1.407 [C:\Program Files\dotnet\sdk]
 5.0.104 [C:\Program Files\dotnet\sdk]
 5.0.201 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
 Microsoft.AspNetCore.All 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
 Microsoft.AspNetCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.NETCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.WindowsDesktop.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
 Microsoft.WindowsDesktop.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
 Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

IDE and version : Visual Studio 2019, Version 16.9.1

Issue Analytics

State:
Created 2 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

1reaction

jlichwacommented, Apr 12, 2021

@avanigupta since due to various circumstances there could be up ot 72h delay , rotation more often than every 5 days may not work and yes the other way around is that rotation should be schedule at least 5 days before expiration to be on the safe spot.

So in general the idea is that certificates versions should overlap, so applications has enough time to refresh (at least several days) and with that there is no need for instant refresh (previous certificate is still valid).

We recommend use periodic request every 8-24h (VM Extension, Key Vault references do that) or to avoid periodic calls integrate with NewVersion event (but Im not sure how it is possible with App Configuration - I found that there is an option to refresh on demand, so it can help https://docs.microsoft.com/en-us/azure/azure-app-configuration/enable-dynamic-configuration-dotnet-core-push-refresh

0reactions

avaniguptacommented, Apr 12, 2021

We recommend minimum 5 days for rotation.

Just to confirm, you mean that the auto-rotation policy should be setup such that it kicks in at least 5 days before the cert expires?

I’m not familiar with Azure App Configuration provider library use case, but it seems like but it seems like it has way to expire configuration, so once a day should be enough - it will refresh certificate before expiry (you have expiry 1 month, which means that certificate is valid for entire 30 days)

Yes, we want to refresh the certificate when there is a new version in Key Vault. We are using the auto-rotation time to trigger a request to Key Vault to get the new version. If newer version is not available, we will keep re-trying periodically until a new version is available, or until the current version expires (whichever comes first). Do you recommend making this periodic request every 24 hours?

Top Results From Across the Web

Tutorial: Configure certificate auto-rotation in Key Vault

Tutorial showing how to update a certificate's auto-rotation frequency in Azure Key Vault using the Azure portal.

Renew your Azure Key Vault certificate

This article discusses how to renew Azure Key Vault certificates. ... attributes of the certificate, see Configure certificate autorotation in Key Vault.

Configure cryptographic key auto-rotation in Azure Key Vault

Automated cryptographic key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified...

How to configure certificate auto-rotation in Azure Key Vault

In this tutorial you will learn how to configure certificate auto-rotation in Azure Key Vault 1. Enable Auto renewal of certification and we ......

Sync certificates and secrets from Azure Key Vault to ...

In this walkthrough, we will create a new Azure Key Vault, and then create a new Azure Kubernetes Service, and then we will...