Certificates are only renewed at exact expiration date #300
Comments
|
Yes, it was the plan that identityd would renew the device ID cert on a timer some time before it expires (same with certd and the EST ID cert). But it looks like we never got around to implementing it. |
|
Any timeline and planned identityd version where it will happen will be greatly appreciated =) |
|
We're just discussing the same, would be super to have option to set in |
|
We have implemented a configurable auto-renewal of the device ID and EST identity certs. The option is available here for device identity certs: iot-identity-service/aziotctl/config/unix/template.toml Lines 132 to 134 in e5a0e0b And here for EST identity certs: iot-identity-service/aziotctl/config/unix/template.toml Lines 182 to 184 in e5a0e0b Note that this feature isn't released yet and will go in a future release. However, you can try it out now by downloading the latest packages from this repo. |
Right now in 1.2.3 certificate renewal will only happen once at the expiration. Source: aziot-identityd - identity.rs.
This is not practical at all for IIoT devices that are often deployed in places with unreliable connectivity. With such approach renewal is likely to fail, while automatic renewal is also a key feature many customers were waiting for.
A much better approach would be to start repeated attempts to renew, when certificate is about 80-90% expired. Then, if first renewal attempt failed, next one can be scheduled in X weeks/x days, and the closer the expiration date the more frequent attempts should be. If this will not be the default behavior, at least there should be an option to enable it.
The text was updated successfully, but these errors were encountered: