Key Rotation Alert Operations

Key Rotation alert operations include creating, editing or deleting a key rotation alert, configuring an alert schedule, copying alerts to create similar alerts for different recipients or collections, and testing alerts.

Note:  Key rotation alerts support using either the legacy alerting system to deliver alerts or the newer workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. system. The workflow system offers more options for injecting actions in the process than the legacy alerting system. To configure an alert to use the workflow system for alerting, toggle Use Workflows to enable the option and create a workflow for the alert (see details below).

When the alerts are run using workflow, there are two Keyfactor Command service jobs that perform this function. The first, running as scheduled for the alerts (see Configuring a Key Rotation Alert Schedule), gathers any SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. keys that are approaching their stale date and that meet the alert criteria. The second, running every 10 minutes, takes the collected SSH keys and generates workflow instances for each.

Refer to the following table for a complete list of the substitutable special text that can be used to customize alert messages.

Table 14: Substitutable Special Text for Key Rotation Alerts using the Legacy Alerting System

Variable

Name

Description

{comment}

Comment in Key

The user-defined descriptive comment, if any, on the key. Although entry of an email address in the comment field of an SSH key is traditional, this is not a required format. The comment may can contain any characters supported for string fields, including spaces and most punctuation marks.

{fingerprint}

Fingerprint of Key

The fingerprint of the public key. Each SSH public key has a single cryptographic fingerprint that can be used to uniquely identify the key.

{keylength}

Key Length

The key length for the key. The key length depends on the key type selected. Keyfactor Command supports 256 bits for Ed25519 and ECDSA and 2048 or 4096 bits for RSA.

{keytype}

Key Type

A number of cryptographic algorithms can be used to generate SSH keys. Keyfactor Command supports RSA, Ed25519, and ECDSA. RSA keys are more universally supported, and this is the default key type when generating a new key.

{serverlogons}

Number of Server Logons for Key

The number of Linux logons associated with the key, if any, granting the holder of the private key pair logon access on the server where the Linux logon resides.

{username}

Username associated with Key

The username of the user or service account associated with the key. For a user, the username is in the form of an Active Directory account (e.g. DOMAIN\username). For a service account, the username is made up of the username and client hostname entered when the service account key was created (e.g. myapp@appsrvr75).