5.4 Ephemeral Certificates

Short-lived session certificates for enhanced security.

• Main certificate authenticates once
• Server issues ephemeral certificate
• Ephemeral certificate valid only for this session
• Automatic rotation every X minutes

1. Client -> Server: Main certificate
2. Server validates against CA
3. Server -> Client: Ephemeral certificate (signed)
4. Client uses ephemeral certificate for requests
5. After expiry: Back to step 1

{
  "Security": {
    "EphemeralCertificate": {
      "Enabled": true,
      "ValidityMinutes": 15,
      "RotationBeforeExpiryMinutes": 2
    }
  }
}

The client must request a new ephemeral certificate in time:

// Check if rotation needed
if (ephemeralCert.NotAfter < DateTime.UtcNow.AddMinutes(2))
{
    ephemeralCert = await RequestNewEphemeralCert();
}

• Compromised certificate only valid briefly
• Forward Secrecy
• Minimized attack surface

For programmatic creation of ephemeral PQ certificates see:

• CertificateRequest Extensions
• NativeCryptoProvider.CreateEphemeralCertificateAsync
• Integration Guide