Our set up: Brokers on 0.10.1 Clients on 0.9
-On startup, clients are dynamically issued a signed certificate that is vaild for 48 hours. A JKS is created using this certificate. -All brokers have a signed certificate in their JKS that is valid for some years. The issue: Clients only load their JKS once on startup. After 48 hours when the certificate expires, if a broker then restarts, clients are not able to make a new SSL connection with the JKS and certificate that was loaded on startup. We have thousands of clients running at any given time, and do not want to need to restart every service each time the certificates expire. We could also make our client certificates last longer but that seems like a possible security flaw. Our first proposed solution was to just rewrite the underlying JKS with a new certificate every hour or so. However, as I mentioned, the JKS is only loaded once at startup, so clients will never load this new JKS with a new vaild certificate. In the context of a producer, the solution we are thinking of is to develop a wrapper that is essentially a rolling client. Every so often, you rewrite the JKS with a new valid certificate, create a new client which will load the new JKS, swap the main client with the old client, then close the original client and repeat the process. Has anybody else run into this problem and found a good solution? I'm interested to hear any other solutions for tearing down and rebuilding SSL connections on the fly. Thanks, Alex
