====== 5.4 Ephemeral Certificates ======
Short-lived session certificates for enhanced security.
===== Concept =====
* Main certificate authenticates once
* Server issues ephemeral certificate
* Ephemeral certificate valid only for this session
* Automatic rotation every X minutes
===== Flow =====
1. Client -> Server: Main certificate
2. Server validates against CA
3. Server -> Client: Ephemeral certificate (signed)
4. Client uses ephemeral certificate for requests
5. After expiry: Back to step 1
===== Configuration =====
{
"Security": {
"EphemeralCertificate": {
"Enabled": true,
"ValidityMinutes": 15,
"RotationBeforeExpiryMinutes": 2
}
}
}
===== Rotation =====
The client must request a new ephemeral certificate in time:
// Check if rotation needed
if (ephemeralCert.NotAfter < DateTime.UtcNow.AddMinutes(2))
{
ephemeralCert = await RequestNewEphemeralCert();
}
===== Benefits =====
* Compromised certificate only valid briefly
* Forward Secrecy
* Minimized attack surface
===== PQ-Crypto Library =====
For programmatic creation of ephemeral PQ certificates see:
* [[..:..:..:..:..:pqcrypt:api:wvds-system-security-cryptography:x509certificates:certificaterequestextensions|CertificateRequest Extensions]]
* [[..:..:..:..:..:pqcrypt:api:wvds-system-security-cryptography:providers:nativecryptoprovider|NativeCryptoProvider.CreateEphemeralCertificateAsync]]
* [[..:..:..:..:..:pqcrypt:developer:integration|Integration Guide]]