By: Ryan Nicholls named 23 Nov 2021 at 7:01 p.m. CST

5 Responses
Ryan Nicholls gravatar
Im having trouble getting keys to appear in the oxauth/restv1/jwks endpoint. Ive followed the steps over at to generate the new key, and placed it in /etc/certs/oxauth-keys.jks but the key has not shown up at the jwks endpoint. The json files described at dont seem to exist in my installation, so im a bit lost as to how to get the key to show up. Im also unsure how to get the key rotation to work in oxauth, i have keyRegenerationEnabled set to true but none of the keys seem to ever be regenerating.

By Michael Schwartz Account Admin 24 Nov 2021 at 10:15 p.m. CST

Michael Schwartz gravatar
They have deployed one server, `keyRegenerationEnabled = true`, but still the keys are not rotating. Also, as CITEC is publishing an additional encryption key, will they have to disable internal key rotation, and implement a different process?

By Milton Ch. staff 25 Nov 2021 at 9:19 a.m. CST

Milton Ch. gravatar
What is the value for `keyRegenerationInterval`? In the middle you should see these logs: `Updating JWKS keys ...` `Updated JWKS successfully` This process is handled via Job executor and at startup time of the application you should see also these logs (just to verify that the executor is running) `Initializing Key Generator Timer` `Initialized Key Generator Timer` Could you verify if you had some error/exception in the middle?

By Ryan Nicholls named 25 Nov 2021 at 4:34 p.m. CST

Ryan Nicholls gravatar
My keyRegenerationInterval is currently set to 48. I can see both Initializing Key Generator Timer and Initialized Key Generator Timer appear a number of times in my logs with no errors in the middle. Updating JWKS keys appears in my logs fine until the 31st of October, after that point it never appears in the logs. They keys i have are all expired November 2.

By Ryan Nicholls named 25 Nov 2021 at 5:12 p.m. CST

Ryan Nicholls gravatar
I Updated my keyRegenerationInterval to 1 and the key has rotated. Is the rotation interval tied to uptime? If the server is restarted, does that mean that the server will wait until the regeneration interval elapses from the restart time even if the keys were generated well before?

By Milton Ch. staff 26 Nov 2021 at 6:58 a.m. CST

Milton Ch. gravatar
Yes, it is, but in case your keys have rotated, then it's tied to the last rotation. 48 hours is a good interval, maybe there was another issue in the middle after log `Updating JWKS keys ...`, perhaps you have an error/exception if you don't see `Updated JWKS successfully` log at the end. Anyway, `keyRegenerationInterval` is only an interval to review all keys, in case a key hasn't expired yet, it would get reviewed during next execution. Good to see that your keys have rotated once you updated it, but still wonder why it failed before, let me know if you want to review it further.