Talk about key rotation downtime and "rotationPolicy: Always" #521
Conversation
jetstack-bot
added
dco-signoff: yes
jetstack-bot
added
the
do-not-merge/work-in-progress
maelvls
force-pushed
the
document-key-rotation
branch
from
672af3e to
c21dd5c
Compare
jetstack-bot
added
size/L
maelvls
force-pushed
the
document-key-rotation
branch
5 times, most recently
from
cb8764f to
e47a736
Compare
|
Update: using |
jetstack-bot
removed
the
do-not-merge/work-in-progress
|
/hold |
jetstack-bot
added
the
do-not-merge/hold
maelvls
force-pushed
the
document-key-rotation
branch
from
419dd65 to
880e3df
Compare
maelvls
changed the title
There was a problem hiding this comment.
Thanks @maelvls
I spotted a few typos and made a few suggestions.
Also suggest going through all the changes in the PR and ensuring that references to cert-manager or Kubernetes resource types are capitalized. E.g. Certificate, Secret etc....I didn't highlight them all below.
|
|
jetstack-bot
added
the
needs-rebase
jetstack-bot
added
dco-signoff: no
maelvls
force-pushed
the
document-key-rotation
branch
from
62a8bf1 to
ea657a9
Compare
maelvls
force-pushed
the
document-key-rotation
branch
from
ee43f0c to
d7b0205
Compare
jetstack-bot
added
dco-signoff: yes
|
/assign @wallrj |
jetstack-bot
added
the
needs-rebase
maelvls
force-pushed
the
document-key-rotation
branch
from
ef9e2e6 to
d27f858
Compare
jetstack-bot
removed
the
needs-rebase
Note that I added an anchor ID using the syntax
## Header {#id}
That's to prevent anchor ID breakage, i.e., people have already copied
this anchor ID and expect the ID to still work.
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
Two bits of information have also been added as part of this change: we now explain that the app is expected to auto-reload the cert, and we also added a word on the Venafi issuer not allowing reusing private keys depending on the configuration. Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
maelvls
force-pushed
the
document-key-rotation
branch
from
d27f858 to
550fc84
Compare
|
This good to me, reads really well :) /lgtm |
content/en/docs/usage/certificate.md
Outdated
| Setting the `rotationPolicy: Always` or change the Certificate's spec won't | ||
| rotate the private key immediately. In order to get the private key secret | ||
| rotated, the certificate objects must be reissued. A certificate object is | ||
| reissued with either: |
There was a problem hiding this comment.
| Setting the `rotationPolicy: Always` or change the Certificate's spec won't | |
| rotate the private key immediately. In order to get the private key secret | |
| rotated, the certificate objects must be reissued. A certificate object is | |
| reissued with either: | |
| Setting the `rotationPolicy: Always` or changing other fields in the Certificate spec won't | |
| rotate the private key immediately. In order to rotate the private key, the certificate objects must be reissued. A certificate object is | |
| reissued under the following circumstances: |
There was a problem hiding this comment.
It's not showing the diff for some reason. s/or change the/or changing the/.
And maybe it would read better as:
Changing the Certificate spec does not trigger the renewal process, so if you change the value to
rotationPolicy: Alwaysand you want the private key to be rotated immediately, you will have to manually trigger the renewal by:
There was a problem hiding this comment.
Also:
Changing the Certificate spec does not trigger the renewal process,
This statement in isolation is not true, and may cause confusion. The majority of fields will cause a re-issuance (e.g. changing dnsNames, commonName, usages etc). Changing the rotationPolicy (or any other fields that control how a renewal happens) won't cause a re-issuance immediately.
There was a problem hiding this comment.
In #521 (comment), Richard proposed to remove the line:
The certificate object is reissued when a change to the certificate object's spec is made.
I think I misunderstood Richard's suggestion back in May. I should have understood Richard's comment as:
The certificate object is reissued when a change to one of the certificate object's fields
commonName,dnsNames,ipAddresses,uris,emailAddresses,subject,isCA,usages,durationorissuerRefis made.
(as per RequestMatchesSpec)
Apologies for my misunderstanding.
I re-added the line about reissuing on spec change in ea1f25b.
content/en/docs/usage/certificate.md
Outdated
| 👉 It is recommended you configure `rotationPolicy: Always` on your certificate | ||
| resources. It is considered to be a good practice to rotate private keys when a | ||
| certificate is renewed. |
There was a problem hiding this comment.
| 👉 It is recommended you configure `rotationPolicy: Always` on your certificate | |
| resources. It is considered to be a good practice to rotate private keys when a | |
| certificate is renewed. | |
| 👉 We recommend that you configure `rotationPolicy: Always` on your certificate | |
| resources. It is considered to be a good practice to rotate private keys when a | |
| certificate is renewed. |
Can we link to a reference backing up this claim good practice?
There was a problem hiding this comment.
I cannot find any good reference to support this claim. By reading some discussions:
- https://community.letsencrypt.org/t/should-i-always-generate-a-new-csr-private-key/100985
- https://security.stackexchange.com/questions/27810/should-i-change-the-private-key-when-renewing-a-certificate
People seem to suggest that:
- RSA/ECDSA private keys can't (mostly) be guessed, which means there is less of a need for renewing them (unlike passwords that are way shorter),
- But at the same time, an RSA/ECDSA private keys may be leaked through some old backup, leading to a possible man-in-the-middle situation.
Looking around, I found that:
-
certbot renews the private key while renewing the cert by default, but there is nothing explaining why;
-
NIST's Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations does not indicate when to renew the private key; the only bit that talks about what to do with a server private key is this:
The security of the server’s private key is critical to the security of TLS. If the server’s private key is weak or can be obtained by a third party, the third party can masquerade as the server to
all clients. -
NIST's Recommendation for Key Management has a nice table but no claim on when the private key should be renewweed:
-
f5-bigip suggests to renew the private key (https://support.f5.com/csp/article/K14620):
Note: When renewing an SSL certificate from a CA, F5 recommends that you generate a new certificate signing request (CSR) and private key. Although some CAs allow you to renew a certificate by using the existing CSR on file, this method is less secure as it retains the existing private key. To generate a new CSR, follow the procedure for Creating an SSL CSR and private key.
@SgtCoDFish Do you know a place where that would be written? Or should I rather remove this claim and say that "the cert-manager team suggests users renewing the private key along with the certificate"?
There was a problem hiding this comment.
I think one big reason why you would want to, is that if you were to renew a certificate using the same private key, and then after the initial certificates expiry learn that the private key had actually been leaked, the new certificate would be valid to use with the old private key, thus the 'rotation' didn't really provide any more protection and really just extended the lifetime of the existing certificate.
There was a problem hiding this comment.
James is spot on. I don't have like an authoritative source to hand for why you'd want to rotate as much as possible, but certainly I think it's best practice.
The longer a key is used, the more likely it is to be exposed. Keys should be renewed "as often as possible" for me; not only for security reasons but also operational reasons to show that it can be done, so that if it has to be done in an emergency the org has confidence that they can carry it out.
There was a problem hiding this comment.
I tried my best to formulate a paragraph that "justifies" our point of view. Please correct me if any of this is wrong. 🔥
👉 We recommend that you configure rotationPolicy: Always on your Certificate resources.
Rotating both the certificate and the private key simultaneously prevents the risk of issuing a certificate associated with an exposed private key.
Another benefit to renewing the private key regularly is to let you be confident that the private key rotation can be done in case of an emergency.
More generally, it is a good practice to be rotating the keys as often as possible, reducing the risk associated with compromised keys.
|
/hold |
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maelvls, wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Maël Valais <mael@vls.dev>
maelvls
force-pushed
the
document-key-rotation
branch
from
d887ba8 to
ea1f25b
Compare
|
/lgtm |
|
/unhold |
jetstack-bot
removed
the
do-not-merge/hold
Questions around possible downtime while rotating the private key secret were asked multiple times on the Kubernetes Slack: 1, 2. This PR is about mentioning that there is no expected downtime.
Related: