X509 Certificate validity in JWK


We have an Auth0 application that uses JWT’s signed with RS256. The RSA keypair used is generated by Auth0. With that keypair a self-signed X509 certificate is created which can later be found in .well-known/jwks.json. That X509 certificate has a validity of almost 14 years!

My main questions is:

  • Is it possible to create a JWK with a different validity time?

I feel that having an X509 certificate with such a big period of life is a security risk. Either because that keypair is vulnerable to some cryptographic attack that might appear in the future (or already exists but not public) or just to follow key management best practices and not use a key for a long period of time. Just as an example, Let’s Encrypt has a 90 day certificate validity.

Some related questions are:

  • Is it possible to have more than one key in an application’s JWKS?
  • Is JWT key rotation a process that, for now, has to be done manually? If so, any plans to include some kind of automated key rotation in the future?


Hi @david.salvador ,

Welcome to the community :slight_smile:

We are planning to release a feature that will enable you to rotate your signing keys soon.




Thanks for sharing that update @adam.housman!

Oh, okay. That’s great!

Would it be possible to know an estimate date or year quarter?

Thanks for the quick response.

Hi @david.salvador,

We’re currently targeting Q2 of this year.



Perfect thanks for letting us know!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.