RSA Key Rotation Strategies
Learn when and how to rotate RSA keys. Understand rotation schedules, zero-downtime strategies, and automated key lifecycle management for production environments.
Detailed Explanation
RSA Key Rotation Strategies
Key rotation is the practice of replacing cryptographic keys on a regular schedule. Even if a key has not been compromised, rotation limits the amount of data encrypted under any single key and reduces the impact of an undetected breach.
Why Rotate Keys?
- Limit exposure — if a key is compromised, only data from the current rotation period is affected
- Compliance — PCI DSS, HIPAA, SOC 2, and other standards require periodic key rotation
- Algorithm agility — rotation provides opportunities to upgrade key sizes or algorithms
- Revocation is hard — in practice, revoking a compromised key is slow and unreliable
Rotation Schedules
| Use Case | Recommended Period | Rationale |
|---|---|---|
| TLS certificates | 90 days - 1 year | Let's Encrypt defaults to 90 days |
| SSH host keys | 1-2 years | Balance between security and operational effort |
| JWT signing keys | 30-90 days | Tokens are short-lived; key rotation is low-friction |
| Code signing keys | 2-3 years | Long-lived signatures need stable verification |
| CA root keys | 10-20 years | Rarely rotated; protected by HSM |
Zero-Downtime Rotation
Phase 1: Introduce New Key
- Generate new key pair
- Publish new public key alongside existing one
- Both keys are valid for verification
Phase 2: Transition Signing
- New operations use the new private key
- Old key still accepted for verification
- Overlap period allows all consumers to learn the new key
Phase 3: Retire Old Key
- Remove old key from active use
- Keep old public key available for verifying historical signatures
- Archive old private key securely (or destroy it)
Automated Rotation with JWKS
For JWT signing keys, JWKS rotation is straightforward:
{
"keys": [
{ "kid": "key-2024-q1", "kty": "RSA", "use": "sig", ... },
{ "kid": "key-2024-q2", "kty": "RSA", "use": "sig", ... }
]
}
Signing uses the newest key; verification accepts any key in the set. Consumers cache the JWKS and refresh it periodically or when they encounter an unknown kid.
Automation Tools
- cert-manager (Kubernetes) — automated TLS certificate rotation
- Let's Encrypt + certbot — automated 90-day certificate renewal
- AWS KMS — supports automatic annual key rotation
- HashiCorp Vault — dynamic secrets with configurable TTLs
Use Case
Production systems require key rotation policies to meet compliance requirements and maintain security posture. DevOps engineers implement automated rotation for TLS certificates, JWT signing keys, and SSH host keys. Without rotation, a single key compromise can expose years of encrypted data.