Is seamless certificate rotation possible?

[Aleksa Jankovic]

I am developing a product that has 2 services, let's call them service A and service B.

In a typical scenario there is one instance of service A and multiple instances of service B.
Since they need to communicate, service A has multiple clients and each service B has a server running.

I am wondering whether GRPC supports seamless certificate rotation.

I see that there was work done in order to bring dynamic certificate reloading (without having to restart).

How I see it, having seamless rotation would require that either the server or the client supports having 2 certificates during the rotation.

If the client supported 2 certificates then service A could talk to service B regardless of whether one instance (of B) is still on the old cert and another on the new cert.

If the server supported 2 certificates then service B would accept calls from service A regardless of whether service A was updated to the new cert, and after it was updated, it could be signaled to all services B to drop the old cert.

Thank you in advance,
Alex

[Alex]

For anyone looking for the same answer here is what I discovered.
TL;DR: Yes.

Long version:
Both gRPC client and server support having multiple certificates for their root authorities (which are checked when the authentication of the other side is performed).
Some implementations of gRPC have "dynamic SSL certificate reloading" meaning you do not have to restart the server for it to pick up new certs, instead every time a channel is going to be created the server fetches current certs via some certificate_fetcher which gets the current certificates. Channels created with old certs stay open since they have already shared the symmetric key (for more info on this read how TLS works).

These two functionalities enable seamless cert rotation.