Key rotations
Key rotations allow you to set up a cycle that rotates 2-10 keys and certificates. This enhances security, automatically changing keys after a pre-determined period of time and after each signing so that you do not have multiple consecutive signings using the same key and certificate.
To identify a key rotation, navigate to DigiCert ONE > DigiCert® Software Trust Manager > Keypairs and identifying Rotation in the Type column.
Nota
Keypairs assigned to a key rotation are not listed and cannot be managed in the Keypairs tab in Software Trust Manager.
Create a key rotation
You require the Manage keypair permission to create a key rotation.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Key rotations.
Select Create key rotation.
Complete the following fields:
Field | Description |
|---|---|
Rotation name | Enter a name that easily identifies which rotation you are using. |
Team | Select the team that should have access to this key rotation. NotaSelecting this option will limit the keypairs available for selection to keypairs that the selected team are allowed to use. This option will only be available if you have teams enabled in Account > Account settings > Teams. |
Select keypairs | Select between 2 and 10 keypairs to cycle during the rotation. NotaOnly production keypairs with a default certificate are available for selection. |
Rotation frequency | Determine how often the keys should rotate. |
Keypair status | Select Online to rotate keypairs that can be used to sign at any time. |
Select Offline to rotate keypairs that can only be used to sign during a release window. | |
Access | Select Open to allow any user within your account access to the keypair rotation. |
Select Restricted to limit access to the keypair rotation to specified users, user group, or team. | |
Allowed users | Select individual validated users that can use this key rotation. |
Allowed user groups | Select groups of users that can use this key rotation. |
View key rotation details
Key rotation details lists the following details: Keypair rotation ID, key rotation status, date created, keypair status, allowed users, groups, or teams. It also provides a list of keypairs and default certificates that are in rotation.
To view key rotation details:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Key rotations.
Click on the keypair rotation alias.
Rotate key
You can rotate a key rotation from Software Trust Manager or SMCTL.
Search the signature logs for key rotations
You can find signings using a key rotation by navigating to Logs > Signature logs and entering the rotation name in the filter keypair alias search field.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Logs > Signature logs.
Identify the keypair alias column and enter the rotation alias into the filter field.