Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[QUERY] Key Vault cert auto-rotation timeline #20266

Closed
avanigupta opened this issue Apr 9, 2021 · 8 comments
Closed

[QUERY] Key Vault cert auto-rotation timeline #20266

avanigupta opened this issue Apr 9, 2021 · 8 comments
Assignees
Labels
KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Service Attention Workflow: This issue is responsible by Azure service team. Service This issue points to a problem in the service.

Comments

@avanigupta
Copy link
Member

Query/Question
I have a certificate in Key Vault with an auto-rotation policy. I want my application to reload the certificate from Key Vault when a newer version is available. I'm using the Azure.Security.KeyVault.Certificates package to create a CertificateClient and get the KeyVaultCertificateWithPolicy. I then calculate the auto-rotation time of this certificate as defined in the LifetimeActions of the CertificatePolicy. But this time is not always the exact time of auto-rotation in Key Vault. There will always be some margin of error.

Questions:

  • How do I calculate the exact time when the new version of certificate will be available in Key Vault?
  • Is there a time window between which the certificate is guaranteed to be rotated?

Note: I cannot use Event Grid notifications.

Environment:

  • Name and version of the Library package used: Azure.Security.KeyVault.Certificates v4.1.0
  • Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects):
dotnet --info
.NET SDK (reflecting any global.json):
Version:   5.0.201
Commit:    a09bd5c86c

Runtime Environment:
OS Name:     Windows
OS Version:  10.0.19042
OS Platform: Windows
RID:         win10-x64
Base Path:   C:\Program Files\dotnet\sdk\5.0.201\

Host (useful for support):
 Version: 5.0.4
 Commit:  f27d337295

.NET SDKs installed:
 3.0.103 [C:\Program Files\dotnet\sdk]
 3.1.407 [C:\Program Files\dotnet\sdk]
 5.0.104 [C:\Program Files\dotnet\sdk]
 5.0.201 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
 Microsoft.AspNetCore.All 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
 Microsoft.AspNetCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.NETCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.WindowsDesktop.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
 Microsoft.WindowsDesktop.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
 Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  • IDE and version : Visual Studio 2019, Version 16.9.1
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 9, 2021
@jsquire jsquire added Client This issue points to a problem in the data-plane of the library. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Apr 10, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 10, 2021
@jsquire
Copy link
Member

jsquire commented Apr 10, 2021

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@heaths
Copy link
Member

heaths commented Apr 12, 2021

@avanigupta, are you saying the time you get back via the SDK doesn't match the service timeout (perhaps displayed in the Portal), or that the key/certificate isn't actually rotated when you expect it to be given the time displayed?

/cc @jlichwa

@jlichwa
Copy link

jlichwa commented Apr 12, 2021

@avanigupta depends on the number of certificates and needed retries the actual time will vary and it is not possible to come up with actual time.
For application to refresh we usually have a job which checks every few hours (i.e. Key Vault VM extension) for new certificate and other option will be to use Event Grid notification which is triggered when there is new version of certificate:
https://docs.microsoft.com/en-us/azure/event-grid/event-schema-key-vault?tabs=event-grid-event-schema

@avanigupta
Copy link
Member Author

@jlichwa , I have a test certificate with the following auto-rotation policy:

  • Validity: 1 month
  • Percentage lifetime: 1%

So this certificate should rotate every 7.2 hours (as documented here).

However, my certificate is not rotating in anywhere near 7.2 hours. These are all the certificate versions with all event timings (in PDT):

Version CreatedOn ExpiresOn Expected Rotation Time Actual Rotation Time Difference
1f5...856 4/9 11:59 AM 5/9 11:59 AM 4/9 7:11 PM 4/10 7:01 PM 23 hrs 50 mins
638...1de 4/10 7:01 PM 5/10 7:01 PM 4/11 2:13 AM 4/12 2:04 AM 23 hrs 51 mins
562...1de 4/12 2:04 AM 5/12 2:04 AM 4/12 9:16 AM Not rotated yet NA

Questions:

  • I'm assuming that "Actual Rotation Time" is the same as the CreatedOn time of the newer version. Is that correct?
  • For my test cert, the difference between actual and expected rotation time is 23:50 hrs. Is is safe to assume that that's always the case?

I cannot use Event Grid notifications or VM extension because I am trying to add auto refresh of certificates in the Azure App Configuration provider library. Therefore, I'm looking for a time frame within which the new certificate version will be available in Key Vault.

@heaths heaths added Service This issue points to a problem in the service. Service Attention Workflow: This issue is responsible by Azure service team. and removed Client This issue points to a problem in the data-plane of the library. labels Apr 12, 2021
@ghost
Copy link

ghost commented Apr 12, 2021

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

Issue Details

Query/Question
I have a certificate in Key Vault with an auto-rotation policy. I want my application to reload the certificate from Key Vault when a newer version is available. I'm using the Azure.Security.KeyVault.Certificates package to create a CertificateClient and get the KeyVaultCertificateWithPolicy. I then calculate the auto-rotation time of this certificate as defined in the LifetimeActions of the CertificatePolicy. But this time is not always the exact time of auto-rotation in Key Vault. There will always be some margin of error.

Questions:

  • How do I calculate the exact time when the new version of certificate will be available in Key Vault?
  • Is there a time window between which the certificate is guaranteed to be rotated?

Note: I cannot use Event Grid notifications.

Environment:

  • Name and version of the Library package used: Azure.Security.KeyVault.Certificates v4.1.0
  • Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects):
dotnet --info
.NET SDK (reflecting any global.json):
Version:   5.0.201
Commit:    a09bd5c86c

Runtime Environment:
OS Name:     Windows
OS Version:  10.0.19042
OS Platform: Windows
RID:         win10-x64
Base Path:   C:\Program Files\dotnet\sdk\5.0.201\

Host (useful for support):
 Version: 5.0.4
 Commit:  f27d337295

.NET SDKs installed:
 3.0.103 [C:\Program Files\dotnet\sdk]
 3.1.407 [C:\Program Files\dotnet\sdk]
 5.0.104 [C:\Program Files\dotnet\sdk]
 5.0.201 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
 Microsoft.AspNetCore.All 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
 Microsoft.AspNetCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
 Microsoft.NETCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
 Microsoft.WindowsDesktop.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
 Microsoft.WindowsDesktop.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
 Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  • IDE and version : Visual Studio 2019, Version 16.9.1
Author: avanigupta
Assignees: heaths
Labels:

KeyVault, Service, Service Attention, needs-team-attention

Milestone: -

@jlichwa
Copy link

jlichwa commented Apr 12, 2021

@avanigupta the provided example is just for quick testing. 24 hours average seems right. The 23:50 is not guaranteed and can from several hours to few days. We recommend minimum 5 days for rotation. The usual expiry for certificates is 1 year.

I'm not familiar with Azure App Configuration provider library use case, but it seems like but it seems like it has way to expire configuration, so once a day should be enough - it will refresh certificate before expiry (you have expiry 1 month, which means that certificate is valid for entire 30 days)

@avanigupta
Copy link
Member Author

We recommend minimum 5 days for rotation.

Just to confirm, you mean that the auto-rotation policy should be setup such that it kicks in at least 5 days before the cert expires?

I'm not familiar with Azure App Configuration provider library use case, but it seems like but it seems like it has way to expire configuration, so once a day should be enough - it will refresh certificate before expiry (you have expiry 1 month, which means that certificate is valid for entire 30 days)

Yes, we want to refresh the certificate when there is a new version in Key Vault. We are using the auto-rotation time to trigger a request to Key Vault to get the new version. If newer version is not available, we will keep re-trying periodically until a new version is available, or until the current version expires (whichever comes first). Do you recommend making this periodic request every 24 hours?

@jlichwa
Copy link

jlichwa commented Apr 12, 2021

@avanigupta since due to various circumstances there could be up ot 72h delay , rotation more often than every 5 days may not work and yes the other way around is that rotation should be schedule at least 5 days before expiration to be on the safe spot.

So in general the idea is that certificates versions should overlap, so applications has enough time to refresh (at least several days) and with that there is no need for instant refresh (previous certificate is still valid).

We recommend use periodic request every 8-24h (VM Extension, Key Vault references do that) or to avoid periodic calls integrate with NewVersion event (but Im not sure how it is possible with App Configuration - I found that there is an option to refresh on demand, so it can help https://docs.microsoft.com/en-us/azure/azure-app-configuration/enable-dynamic-configuration-dotnet-core-push-refresh

azure-sdk pushed a commit to azure-sdk/azure-sdk-for-net that referenced this issue Sep 19, 2022
Network 2022 05 01 (Azure#20695)

* Adds base for updating Microsoft.Network from version stable/2022-01-01 to version 2022-05-01

* Updates readme

* Updates API version in new specs and examples

* add DisableTcpStateTracking on nic (Azure#19734)

Co-authored-by: Dan Tu <dantu@microsoft.com>

* Adding new VIP Swap APIs to support extension resource design (Azure#19698)

* Adding new VIP Swap APIs to support extension resource design

* fixing validation checks

* minor fix

* Reverting changes

* Minor fix to add a new line

* fix description (Azure#19987)

Co-authored-by: Dan Tu <dantu@microsoft.com>

* Add BillingType Property to ExpressRoutePorts (Azure#19932)

* change port json

* changes

* add Virtual network gateway policy group api (Azure#19766)

* finish update on connection configuration references

* resolve reference error

* finish prettier

* resolve sematic error

* finish update change

* enablePrivateLinkFastPath property for VirtualNetworkGatewayConnection resource (Azure#20050)

* Support for Per Rule Actions in Application Gateway WAF (Azure#20027)

* Adding changes for per rule actions

* Fixing spaces

* prettier fix

* Addressing PR comments

* Address review comments

* Add ColoLocation to ExpressRoutePort result (Azure#20033)

* Add ColoLocation to ExpressRoutePort result

* Fix automation code check error

* Merge from network-2022-05-01

* Revert "Merge from network-2022-05-01"

This reverts commit f0671a040b2bad684921f8f8ad4b53bb0f4b4a93.

Co-authored-by: Jianqi Zhao <jianzhao@microsoft.com>

* DDoS Per IP SKU + Custom Policy Deprecation Swagger PR (Azure#19985)

* initial changes

* example file changes

* new files for new apis

* adding a period

* changing reference

* prettier fixes

* ddos fix

* lint diff fixes

* more lint diff errors

* fixing operation id

* changing bool to string enum

* example changes

* adding 202s as these are long running ops

* examples

Co-authored-by: Manas Chakka <manaschakka@microsoft.com>

* Adding UnhealthyThreshold property to LB health probes, and updated examples with new property (Azure#20001)

* Property to enable/disable OCSP revocation check on client certificate (Azure#20301)

* add new property to enable/disable OCSP revocation check on client certificate for MTLS

* revert breaking change of updating enum property

* Add new parameter asn, geo and expressRouteAdvertise to CustomIPPrefix for new 2022-05-01 nrp sdk version (Azure#20266)

* fix

* fix

* fix

* fix

* fix

* fix

Co-authored-by: Weiheng Li <weihl@microsoft.com>

* Network 2022-05-01 Azure Virtual Network Manager Contributions (Azure#20440)

* Add third NIP enum for avnm security admin config, AllowRulesOnly

* add optional top parameters to various network manager post APIs

* revise all example input subscriptions to all zero guid

* change all top parameter max value to 100

* Revert "change all top parameter max value to 100"

This reverts commit 12943d2f2b91b22f1dae232cb291a8551fedfdca.

Co-authored-by: Jared Gorthy <jaredgorthy@microsoft.com>

* Alpelled waf manifest 05 01 2022 (Azure#20047)

* init

* init

* fix comments

* fix err

* try ref to appgw def

* try ref to appgw def

* try ref to appgw def

* try ref to appgw def

* update example

* update example

* update example

* update state and action

* update state and action

* change ruleset name and add tiers

* cammel case fix

* cammel case fix

* s_ruleid

* s_RuleId

* suppress s_RuleId camel case issue

* suppress s_RuleId camel case issue

* address comments

* address comments

* address comments

* fix typo

* cont fix

* cont fix

* cont fix

* cont fix

* cont fix

* add pageable

* add next link

Co-authored-by: Alon Pelled <alpelled@microsoft.com>

* Add prefixType property to CustomIPPrefix for NRP 2022-05-01 (Azure#20486)

* add prefixType parameter

* add example

* Adding swagger changes for routemaps feature (Azure#20091)

* initial changes for routemaps

* run npm prettier script

* adding examples

* fixing validation errors

* more validations

* more fixes

* trying to fix lint error

* fix for match condition

* renaming ActionType to fix lint

* fix for python sdk generation

* renaming Rule to RouteMapRule

* modify examples to remove vnetroutes from non hub vnet conns

* cleanup

* Added Upper-case transform (Azure#20674)

Co-authored-by: dtuCloud <tudan0103@gmail.com>
Co-authored-by: Dan Tu <dantu@microsoft.com>
Co-authored-by: shnaya434 <67019054+shnaya434@users.noreply.github.com>
Co-authored-by: nimaller <71352534+nimaller@users.noreply.github.com>
Co-authored-by: tyrannicrex <jiaczh@microsoft.com>
Co-authored-by: Jesus Arango <jearango@microsoft.com>
Co-authored-by: Sindhu Aluguvelli <sindhureddy216@gmail.com>
Co-authored-by: Jianqi Zhao <archie.j.zhao@gmail.com>
Co-authored-by: Jianqi Zhao <jianzhao@microsoft.com>
Co-authored-by: Manas Chakka <mchakka@gmail.com>
Co-authored-by: Manas Chakka <manaschakka@microsoft.com>
Co-authored-by: bhavanabheem <109241669+bhavanabheem@users.noreply.github.com>
Co-authored-by: biaogao <biga@microsoft.com>
Co-authored-by: Weiheng Li <weihengli.tj@gmail.com>
Co-authored-by: Weiheng Li <weihl@microsoft.com>
Co-authored-by: jago2136 <42753636+jago2136@users.noreply.github.com>
Co-authored-by: Jared Gorthy <jaredgorthy@microsoft.com>
Co-authored-by: alon-microsoft <31221093+alon-microsoft@users.noreply.github.com>
Co-authored-by: Alon Pelled <alpelled@microsoft.com>
Co-authored-by: Eric Hoffmann <112216215+erichoffmannms@users.noreply.github.com>
Co-authored-by: arganapathy <109313670+arganapathy@users.noreply.github.com>
Co-authored-by: rahulbissa2727 <106511944+rahulbissa2727@users.noreply.github.com>
@github-actions github-actions bot locked and limited conversation to collaborators Mar 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Service Attention Workflow: This issue is responsible by Azure service team. Service This issue points to a problem in the service.
Projects
None yet
Development

No branches or pull requests

4 participants