MSP Admin Rotation

When a MSP admin needs to be replaced, a new identity (that contains a new private key) has to be enrolled. However, in order to confirm the update, the old key (which is currently necessary until the transaction takes effect) has to be used for authentication reasons.

How to Revoke Signing Identities

First, a new identity has to be created.

Identity creation
Figure 1. Identity creation

Then the new identity just created must be used.

Navigate to Your MSP on the left panel of your dashboard and click on Edit on your MSP

Edit MSP
Figure 2. Edit MSP

Once in the Edit MSP menu, scroll down to Admin Identity Certificates and add the identity just created. check the box with the option to use this admin identity by default.

Set new admin identity
Figure 3. Set new admin identity

From this moment on, both Identities are being used as admin identities as shown under the Admin certificates sections on your MSP.

Admin certificates
Figure 4. Admin certificates

The previous (old) identity can be thrown away using the newly created one as a single Admin identity.

Now we must revoke the previous one.

Navigate to CAs on the left panel, pick the Identity that is going to be revoked and execute the Revoke action for the old identity.

Rotate MSP Admin Revoke old certificate
Figure 5. Revoke old certificate