ucl rekey

The command generates a new key (Key-Rotation) with instant or delayed activation of the key.

The re-key operation can be applied only once. To continue rotating the key, apply the re-key to the latest version of the key. This process creates a chain of keys. 

ucl rekey -u <UID> | -n <key name>
[-r [--interval <days>]
[-o [--offset ] <days>] [-y [--yes]] // Skip the confirmation prompt
  • --interval - sets the periodic key rotation to every <days> day.
    To disable rotation, use --interval 0
  • --offset - See below.

The offset option (see Manual Rotation) offset allows adjusting the activity period of the new key relative to the current time.

Specify the offset argument to adjust the new key's timing settings relative to the command's execution time. In particular, the offset adjusts the deactivation (and activation) dates. The offset is specified in the units of days

  • offset = 0 - a zero offset triggers instant activation of the new key, yet the deactivation date is adjusted as needed.
  • offset = 1 to 3650 - during this period, the new key is in the pre-active state.
  • In particular, requests to use a key by-name will be declined because the name now points at the pre-activated key.

On the following capture, the Activation and Deactivation times of the new key (A2, D2) are compared with the times (A1, D1) of the base key.

Rekey offset