Key Rotation

How do I rotate my JWKS keys?

The process for rotating your JWKS keys depends on where they are hosted:

If your JWKS is hosted on your own endpoint:

  • You can rotate your keys at any time without notifying Corppass.

  • Ensure your system dynamically recognizes the new keys by using the "kid" (Key ID) field.

If your JWKS is stored as a JWKS Object with Corppass:

  1. Submit your new keys to Corppass for an update.

  2. Corppass will add the new keys to the keyset while temporarily retaining the old keys.

  3. Ensure your application dynamically selects the correct key for decryption using the "kid" field.

  4. Test the new keyset to confirm successful integration.

  5. Once verified, Corppass will remove the old keys from the system.

By following this process, you ensure a smooth key transition without service disruptions.

What should I do if my encryption key needs to be rotated?

To ensure zero-downtime key rotation, follow these steps:

  1. Generate a new encryption key pair (K2) while keeping the existing key (K1) active.

  2. Add K2 to your JWKS while retaining K1.

  3. Wait at least 1 hour to allow Corppass to retrieve the new key.

  4. Verify that Corppass is using K2 before removing K1 from the JWKS.

This process ensures that encryption remains uninterrupted during the transition.

Does Corppass require both signing and encryption keys?

Yes, Corppass requires both:

  • A signing key (EC) for validating client assertions.

  • An encryption key (EC or RSA) for encrypting ID tokens.

Note: RSA encryption keys are deprecated but still supported for backward compatibility. New implementations should use EC encryption keys.

Last updated