X509 Certificate validity in JWK

david.salvador · March 18, 2020, 6:20pm

Hello,

We have an Auth0 application that uses JWT’s signed with RS256. The RSA keypair used is generated by Auth0. With that keypair a self-signed X509 certificate is created which can later be found in .well-known/jwks.json. That X509 certificate has a validity of almost 14 years!

My main questions is:

Is it possible to create a JWK with a different validity time?

I feel that having an X509 certificate with such a big period of life is a security risk. Either because that keypair is vulnerable to some cryptographic attack that might appear in the future (or already exists but not public) or just to follow key management best practices and not use a key for a long period of time. Just as an example, Let’s Encrypt has a 90 day certificate validity.

Some related questions are:

Is it possible to have more than one key in an application’s JWKS?
Is JWT key rotation a process that, for now, has to be done manually? If so, any plans to include some kind of automated key rotation in the future?

Thanks,
David

adam.housman · March 18, 2020, 8:22pm

Hi @david.salvador ,

Welcome to the community

We are planning to release a feature that will enable you to rotate your signing keys soon.

Thanks,

Adam

konrad.sopala · March 19, 2020, 9:28am

Thanks for sharing that update @adam.housman!

david.salvador · March 19, 2020, 10:32am

Oh, okay. That’s great!

Would it be possible to know an estimate date or year quarter?

Thanks for the quick response.

adam.housman · March 19, 2020, 11:03am

Hi @david.salvador,

We’re currently targeting Q2 of this year.

Adam

konrad.sopala · March 19, 2020, 11:05am

Perfect thanks for letting us know!

system · April 3, 2020, 11:05am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.