[QUERY] Key Vault cert auto-rotation timeline #20266
Comments
ghost
added
the
needs-triage
jsquire
added
Client
ghost
removed
the
needs-triage
|
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
|
@avanigupta, are you saying the time you get back via the SDK doesn't match the service timeout (perhaps displayed in the Portal), or that the key/certificate isn't actually rotated when you expect it to be given the time displayed? /cc @jlichwa |
|
@avanigupta depends on the number of certificates and needed retries the actual time will vary and it is not possible to come up with actual time. |
|
@jlichwa , I have a test certificate with the following auto-rotation policy:
So this certificate should rotate every 7.2 hours (as documented here). However, my certificate is not rotating in anywhere near 7.2 hours. These are all the certificate versions with all event timings (in PDT):
Questions:
I cannot use Event Grid notifications or VM extension because I am trying to add auto refresh of certificates in the Azure App Configuration provider library. Therefore, I'm looking for a time frame within which the new certificate version will be available in Key Vault. |
heaths
added
Service
|
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa. Issue DetailsQuery/Question Questions:
Note: I cannot use Event Grid notifications. Environment:
|
|
@avanigupta the provided example is just for quick testing. 24 hours average seems right. The 23:50 is not guaranteed and can from several hours to few days. We recommend minimum 5 days for rotation. The usual expiry for certificates is 1 year. I'm not familiar with Azure App Configuration provider library use case, but it seems like but it seems like it has way to expire configuration, so once a day should be enough - it will refresh certificate before expiry (you have expiry 1 month, which means that certificate is valid for entire 30 days) |
Just to confirm, you mean that the auto-rotation policy should be setup such that it kicks in at least 5 days before the cert expires?
Yes, we want to refresh the certificate when there is a new version in Key Vault. We are using the auto-rotation time to trigger a request to Key Vault to get the new version. If newer version is not available, we will keep re-trying periodically until a new version is available, or until the current version expires (whichever comes first). Do you recommend making this periodic request every 24 hours? |
|
@avanigupta since due to various circumstances there could be up ot 72h delay , rotation more often than every 5 days may not work and yes the other way around is that rotation should be schedule at least 5 days before expiration to be on the safe spot. So in general the idea is that certificates versions should overlap, so applications has enough time to refresh (at least several days) and with that there is no need for instant refresh (previous certificate is still valid). We recommend use periodic request every 8-24h (VM Extension, Key Vault references do that) or to avoid periodic calls integrate with NewVersion event (but Im not sure how it is possible with App Configuration - I found that there is an option to refresh on demand, so it can help https://docs.microsoft.com/en-us/azure/azure-app-configuration/enable-dynamic-configuration-dotnet-core-push-refresh |
Network 2022 05 01 (Azure#20695) * Adds base for updating Microsoft.Network from version stable/2022-01-01 to version 2022-05-01 * Updates readme * Updates API version in new specs and examples * add DisableTcpStateTracking on nic (Azure#19734) Co-authored-by: Dan Tu <[email protected]> * Adding new VIP Swap APIs to support extension resource design (Azure#19698) * Adding new VIP Swap APIs to support extension resource design * fixing validation checks * minor fix * Reverting changes * Minor fix to add a new line * fix description (Azure#19987) Co-authored-by: Dan Tu <[email protected]> * Add BillingType Property to ExpressRoutePorts (Azure#19932) * change port json * changes * add Virtual network gateway policy group api (Azure#19766) * finish update on connection configuration references * resolve reference error * finish prettier * resolve sematic error * finish update change * enablePrivateLinkFastPath property for VirtualNetworkGatewayConnection resource (Azure#20050) * Support for Per Rule Actions in Application Gateway WAF (Azure#20027) * Adding changes for per rule actions * Fixing spaces * prettier fix * Addressing PR comments * Address review comments * Add ColoLocation to ExpressRoutePort result (Azure#20033) * Add ColoLocation to ExpressRoutePort result * Fix automation code check error * Merge from network-2022-05-01 * Revert "Merge from network-2022-05-01" This reverts commit f0671a040b2bad684921f8f8ad4b53bb0f4b4a93. Co-authored-by: Jianqi Zhao <[email protected]> * DDoS Per IP SKU + Custom Policy Deprecation Swagger PR (Azure#19985) * initial changes * example file changes * new files for new apis * adding a period * changing reference * prettier fixes * ddos fix * lint diff fixes * more lint diff errors * fixing operation id * changing bool to string enum * example changes * adding 202s as these are long running ops * examples Co-authored-by: Manas Chakka <[email protected]> * Adding UnhealthyThreshold property to LB health probes, and updated examples with new property (Azure#20001) * Property to enable/disable OCSP revocation check on client certificate (Azure#20301) * add new property to enable/disable OCSP revocation check on client certificate for MTLS * revert breaking change of updating enum property * Add new parameter asn, geo and expressRouteAdvertise to CustomIPPrefix for new 2022-05-01 nrp sdk version (Azure#20266) * fix * fix * fix * fix * fix * fix Co-authored-by: Weiheng Li <[email protected]> * Network 2022-05-01 Azure Virtual Network Manager Contributions (Azure#20440) * Add third NIP enum for avnm security admin config, AllowRulesOnly * add optional top parameters to various network manager post APIs * revise all example input subscriptions to all zero guid * change all top parameter max value to 100 * Revert "change all top parameter max value to 100" This reverts commit 12943d2f2b91b22f1dae232cb291a8551fedfdca. Co-authored-by: Jared Gorthy <[email protected]> * Alpelled waf manifest 05 01 2022 (Azure#20047) * init * init * fix comments * fix err * try ref to appgw def * try ref to appgw def * try ref to appgw def * try ref to appgw def * update example * update example * update example * update state and action * update state and action * change ruleset name and add tiers * cammel case fix * cammel case fix * s_ruleid * s_RuleId * suppress s_RuleId camel case issue * suppress s_RuleId camel case issue * address comments * address comments * address comments * fix typo * cont fix * cont fix * cont fix * cont fix * cont fix * add pageable * add next link Co-authored-by: Alon Pelled <[email protected]> * Add prefixType property to CustomIPPrefix for NRP 2022-05-01 (Azure#20486) * add prefixType parameter * add example * Adding swagger changes for routemaps feature (Azure#20091) * initial changes for routemaps * run npm prettier script * adding examples * fixing validation errors * more validations * more fixes * trying to fix lint error * fix for match condition * renaming ActionType to fix lint * fix for python sdk generation * renaming Rule to RouteMapRule * modify examples to remove vnetroutes from non hub vnet conns * cleanup * Added Upper-case transform (Azure#20674) Co-authored-by: dtuCloud <[email protected]> Co-authored-by: Dan Tu <[email protected]> Co-authored-by: shnaya434 <[email protected]> Co-authored-by: nimaller <[email protected]> Co-authored-by: tyrannicrex <[email protected]> Co-authored-by: Jesus Arango <[email protected]> Co-authored-by: Sindhu Aluguvelli <[email protected]> Co-authored-by: Jianqi Zhao <[email protected]> Co-authored-by: Jianqi Zhao <[email protected]> Co-authored-by: Manas Chakka <[email protected]> Co-authored-by: Manas Chakka <[email protected]> Co-authored-by: bhavanabheem <[email protected]> Co-authored-by: biaogao <[email protected]> Co-authored-by: Weiheng Li <[email protected]> Co-authored-by: Weiheng Li <[email protected]> Co-authored-by: jago2136 <[email protected]> Co-authored-by: Jared Gorthy <[email protected]> Co-authored-by: alon-microsoft <[email protected]> Co-authored-by: Alon Pelled <[email protected]> Co-authored-by: Eric Hoffmann <[email protected]> Co-authored-by: arganapathy <[email protected]> Co-authored-by: rahulbissa2727 <[email protected]>
Query/Question
I have a certificate in Key Vault with an auto-rotation policy. I want my application to reload the certificate from Key Vault when a newer version is available. I'm using the
Azure.Security.KeyVault.Certificatespackage to create aCertificateClientand get theKeyVaultCertificateWithPolicy. I then calculate the auto-rotation time of this certificate as defined in theLifetimeActionsof theCertificatePolicy. But this time is not always the exact time of auto-rotation in Key Vault. There will always be some margin of error.Questions:
Note: I cannot use Event Grid notifications.
Environment:
Azure.Security.KeyVault.Certificates v4.1.0dotnet --infooutput for .NET Core projects):The text was updated successfully, but these errors were encountered: