With the security model of Enclaves, the responsibility to rotate the signing certificate for your Enclave falls to you. This is crucial as an expired certificate will prevent your Enclave from starting due to failed signature verification. This guide provides a step-by-step walkthrough to efficiently rotate the signing certificate for your Enclave.
Begin by generating a new signing certificate, valid for 365 days, with the following command:
Executing this command will create a new signing certificate and private key, saving them as
If your attestation client uses a hardcoded PCR8 value, you must update it to match the new signing certificate's PCR8 value. To obtain this new value, build the Enclave, which will display the new attestation measures:
Replace the existing certificate and key in your deployment workflow with the newly generated ones.
With the updated signing certificate, deploy your Enclave as you normally would, using the new certificate:
That's it! Following these steps ensures your Enclave's signing certificate is up-to-date, making sure your Enclave run smoothly.