Rotate an Enclave Signing Certificate

With the security model of Enclaves, the responsibility to rotate the signing certificate for your Enclave falls to you. This is crucial as an expired certificate will prevent your Enclave from starting due to failed signature verification. This guide provides a step-by-step walkthrough to efficiently rotate the signing certificate for your Enclave.

Step 1: Generate a New Enclave Signing Certificate

Begin by generating a new signing certificate, valid for 365 days, with the following command:

Executing this command will create a new signing certificate and private key, saving them as ./cert.pem and ./key.pem respectively.

Step 2: Update PCR8 for Attestation in Clients (If Required)

If your attestation client uses a hardcoded PCR8 value, you must update it to match the new signing certificate's PCR8 value. To obtain this new value, build the Enclave, which will display the new attestation measures:

Step 3: Incorporate the New Certificate and Key into Your Deployment Workflow

Replace the existing certificate and key in your deployment workflow with the newly generated ones.

Step 4: Deploy Your Enclave

With the updated signing certificate, deploy your Enclave as you normally would, using the new certificate:

That's it! Following these steps ensures your Enclave's signing certificate is up-to-date, making sure your Enclave run smoothly.