About HSM cleanup behavior¶
Distributed Issuer generates a new key pair whenever it needs a new Issuer Certificate. Each key pair consumes a portion of the HSM's finite storage, so it is important to remove keys from the HSM when they're no longer needed.
A Distributed Issuer instance that is shut down gracefully will automatically remove the key pair it generated from the HSM.
Distributed Issuer and Next-Gen Trust Security¶
When Distributed Issuer is connected to Next-Gen Trust Security, it is equipped with additional logic that helps clean up orphaned keys when Distributed Issuer is inactive due to not being gracefully shut down. A Distributed Issuer instance that is shut down gracefully will automatically remove the key pair it generated from the HSM. If the shutdown is not graceful, Distributed Issuer is equipped to help with orphaned keys. A Distributed Issuer instance is considered "inactive" if it has not reported statistics to the control plane in more than three days.
Once per day, active Distributed Issuer instances will attempt to remove keys from the HSM for inactive Distributed Issuer instances that were bootstrapped using the same configuration. The cleanup process uses a randomly generated identifier (UUID) assigned to the CKA_ID attribute for each generated key pair on the HSM device. This identifier is also sent to Next-Gen Trust Security, creating an association between the identifier and the Distributed Issuer instance.
When Distributed Issuer requests data for inactive instances from Next-Gen Trust Security, it receives the identifier for each inactive instance. Distributed Issuer then filters objects on the HSM device using the CKA_ID attribute that matches the identifier value and removes these objects from the HSM.