/
How to temporarily postpone key-manager key-rotation

How to temporarily postpone key-manager key-rotation

Owned by Rediet Ketema, created
Last updated: May 27, 2024
1 min read

Below are instructions for temporarily delaying key rotation in Mosip 1.1.5 when the Mosip Module keys are set to expire.

This will only work if there is no trust validation enabled for Biometric devices and IDA key-rotation is not required.

 Instructions

  1. Identify which packets will be expiring in the kernel key manager by running the following query

    select * from key_alias ka where key_expire_dtimes >= current_date and key_expire_dtimes < current_date + 30 and(ref_id='' or app_id='KERNEL');

  2. Now, set the key_expire_dtimes to a future date for all the keys that are returned from the query in step #1 except for the key with app_id KERNEL. Do not modify the expiry of the kernel key.

  3. On the day of expiry, when a request is made to the key manager, the system will automatically generate a new KERNEL SIGN key with an expiry date of 3 years.

This is not a replacement for a proper key-rotation technique. It’s a rather temporary solution so as not to disrupt the flow of operation.

 Related articles

Related content