4.3 KiB
4.3 KiB
Runbook: Attestor - Signing Key Expired
Sprint: SPRINT_20260117_029_DOCS_runbook_coverage Task: RUN-005 - Attestor Runbooks
Metadata
| Field | Value |
|---|---|
| Component | Attestor |
| Severity | Critical |
| On-call scope | Platform team, Security team |
| Last updated | 2026-01-17 |
| Doctor check | check.attestor.key-expiration |
Symptoms
- Attestation creation failing with "key expired" error
- Alert
AttestorKeyExpiredfiring - Error: "signing key certificate has expired"
- New attestations cannot be created
- Verification of new attestations failing
Impact
| Impact Type | Description |
|---|---|
| User-facing | No new attestations can be signed; releases blocked |
| Data integrity | Existing attestations remain valid; new ones cannot be created |
| SLA impact | Release SLO violated; compliance posture compromised |
Diagnosis
Quick checks
-
Check Doctor diagnostics:
stella doctor --check check.attestor.key-expiration -
List signing keys and expiration:
stella keys list --type signing --show-expirationLook for: Keys with status "expired" or expiring soon
-
Check active signing key:
stella attest config get signing.key_id stella keys show <key-id> --details
Deep diagnosis
-
Check certificate chain validity:
stella crypto cert verify-chain --key <key-id>Problem if: Any certificate in chain expired
-
Check for backup keys:
stella keys list --type signing --status inactiveLook for: Unexpired backup keys that can be activated
-
Check key rotation history:
stella keys rotation-history --key <key-id>
Resolution
Immediate mitigation
-
If backup key available, activate it:
stella keys activate <backup-key-id> stella attest config set signing.key_id <backup-key-id> stella attest reload -
Verify signing works:
stella attest test-sign -
Retry failed attestations:
stella attest retry --failed --last 1h
Root cause fix
Generate new signing key:
-
Generate new key pair:
stella keys generate \ --type signing \ --algorithm ecdsa-p256 \ --validity 365d \ --name "signing-key-$(date +%Y%m%d)" -
If using HSM:
stella keys generate \ --type signing \ --algorithm ecdsa-p256 \ --validity 365d \ --hsm-slot <slot> \ --name "signing-key-$(date +%Y%m%d)" -
Register the new key:
stella keys register <new-key-id> --purpose attestation-signing -
Update signing configuration:
stella attest config set signing.key_id <new-key-id> stella attest reload -
Publish new public key to trust anchors:
stella issuer keys publish <new-key-id>
Configure automatic rotation:
-
Enable auto-rotation:
stella keys config set rotation.auto true stella keys config set rotation.before_expiry 30d stella keys config set rotation.overlap_days 14 -
Set up rotation alerts:
stella keys config set alerts.expiring_days 30 stella keys config set alerts.expiring_days_critical 7
Verification
# Verify new key is active
stella keys list --type signing --status active
# Test signing
stella attest test-sign
# Create test attestation
stella attest create --type test --subject "test:key-rotation"
# Verify the attestation
stella verify attestation --last
# Check key expiration
stella keys show <new-key-id> --details | grep -i expir
Prevention
- Rotation: Enable automatic key rotation 30 days before expiry
- Monitoring: Alert on keys expiring within 30 days (warning) and 7 days (critical)
- Backup: Maintain at least one backup signing key
- Documentation: Document key rotation procedures and approval process
Related Resources
- Architecture:
docs/modules/attestor/architecture.md - Related runbooks:
attestor-signing-failed.md,attestor-hsm-connection.md - Doctor check:
src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/ - Key management:
docs/operations/key-management.md