We have an Auth0 application that uses JWT’s signed with RS256. The RSA keypair used is generated by Auth0. With that keypair a self-signed X509 certificate is created which can later be found in
.well-known/jwks.json. That X509 certificate has a validity of almost 14 years!
My main questions is:
- Is it possible to create a JWK with a different validity time?
I feel that having an X509 certificate with such a big period of life is a security risk. Either because that keypair is vulnerable to some cryptographic attack that might appear in the future (or already exists but not public) or just to follow key management best practices and not use a key for a long period of time. Just as an example, Let’s Encrypt has a 90 day certificate validity.
Some related questions are:
- Is it possible to have more than one key in an application’s JWKS?
- Is JWT key rotation a process that, for now, has to be done manually? If so, any plans to include some kind of automated key rotation in the future?