When do Signing Certificates change/expire?

I noticed that the Signing Certificate provided by an Auth0 Client configuration has an expiration date. Found by running openssl x509 -enddate -noout -in the-cert.pem

For performance reasons, I would like to keep the signing cert locally on my servers, but I’m worried that the certificates will unexpectedly expire and we will have to reactively update this certificate. Do you have documentation for this situation at all?

To my knowledge there’s no automatic rotation of the certificates so under normal situations there would be no automatic change of the signing certificate; given they have a substantial lifetime this should not pose any short-term concern and any future rotation required due to expiration can be properly documented in time.

There are situations where a change of certificate could be required, however since these would not happen automatically they would be coordinated in a case by case basis.

In addition, for certain situations you can already implement your system in a way that it will respond to a change in signing keys automatically. For example, if you require the public key associated with the signing certificate for the purpose of validating issued JWT tokens then if the system obtains the key from https://[your_account].auth0.com/.well-known/jwks.json endpoint it can cache it for performance reasons until it receives a JWT token with a key identifier that does not match the one it has on cache. At this time the system can decide to make another request to the above endpoint to check if there are new keys available and if keys changed proceed to use the new ones automatically.