diff --git a/server_admin/topics/realms/keys.adoc b/server_admin/topics/realms/keys.adoc index 8bda6285e3..ef182d6644 100644 --- a/server_admin/topics/realms/keys.adoc +++ b/server_admin/topics/realms/keys.adoc @@ -14,10 +14,10 @@ To view the active keys for a realm select the realm in the admin console click will show the currently active keys for the realm. {project_name} currently only supports RSA signatures so there is only one active keypair. In the future as more signature algorithms are added there will be more active keypairs. -To view all available keys select `All`. This will show all active, passive and disabled keys. A keypair can have the -status `Active`, but still not be selected as the currently active keypair for the realm. The selected active pair which -is used for signatures is selected based on the first key provider sorted by priority that is able to provide an - active keypair. +To view passive or disabled keys select `Passive` or `Disabled`. This will show passive or disabled keys. +A keypair can have the status `Active`, but still not be selected as the currently active keypair for the realm. +The selected active pair which is used for signatures is selected based on the first key provider sorted by priority +that is able to provide an active keypair. ==== Rotating keys @@ -70,13 +70,13 @@ Fill in the values for `Keystore`, `Keystore Password`, `Key Alias` and `Key Pas ==== Making keys passive -Locate the keypair in `Active` or `All` then click on the provider in the `Provider` column. This will take you to the +Locate the keypair in `Active` then click on the provider in the `Provider` column. This will take you to the configuration screen for the key provider for the keys. Click on `Active` to turn it `OFF`, then click on `Save`. The keys will no longer be active and can only be used for verifying signatures. ==== Disabling keys -Locate the keypair in `Active` or `All` then click on the provider in the `Provider` column. This will take you to the +Locate the keypair in `Active` then click on the provider in the `Provider` column. This will take you to the configuration screen for the key provider for the keys. Click on `Enabled` to turn it `OFF`, then click on `Save`. The keys will no longer be enabled. @@ -86,7 +86,7 @@ Alternatively, you can delete the provider from the `Providers` table. {project_name} has the signing keys stored just locally and they are never shared with the client applications, users or other entities. However if you think that your realm signing key was compromised, you should first generate new keypair as described above and -then immediatelly remove the compromised keypair. +then immediately remove the compromised keypair. Then to ensure that client applications won't accept the tokens signed by the compromised key, you should update and push not-before policy for the realm, which is doable from the admin console. Pushing new policy will ensure that client applications won't accept the existing