Maintaining certificates and private keys in kvm -...

mk4155 · 09-27-2022 10:28 PM

Hi Team,

We have apigee solution deign where in we store our public keys and private keys in kvm's.

public keys are exposed to public via /jwks endpoint where as the private keys are retrieved in runtime from secured kvm.

the issue we have is that we have multiple environments and updating all of them is becoming a herculean task, so is there any solution or tool where we can host the public certs and private keys externally and use an api call to get them and cache at run time. A mere java code is not acceptable and it has to be a standard key management solution to ensure the rotation of keys is also as er standard process.

your inputs are welcome.

Also what is the standard way of updating a kvm, we generally update the existing value using management api using POST call, will this cause any problem or is it that we have to use put operation. We are not updating kvm at run time rather updating the configuration through a management post api call.

gonzalezruben

Hi!

You could use Property Sets as an alternative to KVMs. These can be scoped to an environment and have support for Update operations. The property sets are encrypted using the application encryption key that you've assigned during the provisioning process.

Alternatively, in your proxy or shared flow configuration you could also perform a Service Callout to Secret Manager and temporarily store the credentials using the Cache policies (set, TTL / expiration accordingly) or a KVM policy with a PUT operation.

Maintaining certificates and private keys in kvm - any better solution to keep them out of apigee