Runbook — Certificate Rotation

Finnest Power uses mTLS at the gateway boundary and PS256 signing keys in Keycloak. Rotate on the normal schedule, immediately after compromise, or when regulator directory metadata changes.

ICP-Brasil Certificates

1. Obtain the new certificate bundle from the approved ICP-Brasil CA.
2. Stage the new bundle as a Kubernetes secret:

   kubectl -n finnest-prod create secret generic icp-brasil-ca \
     --from-file=ca.crt=new-ca-bundle.pem \
     --dry-run=client -o yaml | kubectl apply -f -

3. Restart gateway pods so Kong picks up the new material:

   kubectl -n finnest-prod rollout restart deployment/finnest-kong
   kubectl -n finnest-prod rollout status deployment/finnest-kong --timeout=10m

4. Verify mTLS with a known-good client certificate and with an expired/revoked certificate.

Keycloak Signing Keys

1. Create a new Keycloak key with kid=YYYY-Q<n> and PS256 algorithm.
2. Mark the new key active while keeping the previous key passive for the token overlap window.
3. Confirm JWKS exposes both keys during the overlap window.
4. Remove the previous key only after all tokens signed by it have expired.

Finnest License Keys

1. Generate a replacement Ed25519 key pair:

   openssl genpkey -algorithm ed25519 -out license-new.pem
   openssl pkey -in license-new.pem -pubout -out license-new-pub.pem

2. Update the public key package and publish a release.
3. Keep customer upgrade windows explicit because services validate licenses against their packaged public key.

Verification

• Gateway accepts valid mTLS clients and rejects invalid clients.
• Keycloak signs new tokens with the new kid.
• Services can verify licenses after the package update.
• No private key material is committed or printed in CI logs.