KB-2390 License Signing Key Rotation for Kubernetes Native Appian

Overview: 

For security reasons, the Kubernetes Native Appian license signing key is rotated approximately every two years.

The license appian.lic is digitally signed using a private signing key, while the Appian Operator contains the corresponding public key used to validate those licenses. When the signing key is rotated, the Appian Operator must contain the updated public key to validate licenses signed with the new private key.

As a result, customers must upgrade their Appian Operator before requesting a new license generated after a signing key rotation.

Customer Impact: 

  1. Customers running old Appian Operator versions should upgrade their operator before requesting a new license after the signing key rotation. If a customer requests a new license without first upgrading the operator, the new license will fail validation with the following error for the Appian Operator:
    Failed to verify signature #l with key …
  2. Customers can safely upgrade their Appian Operator before requesting a new license, even if they are still using an existing license signed with the previous key.
  3. If a customer has an internal change management or security processes that require validating new container images before deploying them, we recommend validating and approving the latest Appian Operator in advance. Always remember to deploy the latest operator before deploying a new appian.lic as this helps avoid delays caused by requesting a license that cannot be validated by an older operator.

Rotation Schedule: 

Date Operator Version Details
August 2024 v0.161.0
  •  The previous license signing key rotation occurred.
July 2026 v0.205.0
  • The next license signing key rotation will take place.
  • Operator v0.205.0 introduces the new public key required to validate licenses signed after the 2026 rotation.
  • After the rotation: Customers requesting a newly generated license must be running Appian Operator v0.205.0 or later. Older operator versions will not recognize licenses signed with the new key.
  • Until the next signing key rotation: Appian Operator v0.205.0 and later will continue to validate licenses signed with the current signing key.

FAQ: 

Why is the signing key rotated?

Rotating signing keys is a standard security practice that helps maintain the integrity and security of digitally signed licenses.

Do existing licenses stop working after the rotation?

No. Existing licenses continue to function as normal. The change only affects newly generated licenses signed with the new signing key.

Can customers upgrade the Appian Operator before requesting a new license?

Yes. This is the recommended approach. The latest operator trusts both the previous and current signing keys, allowing it to validate both existing licenses and newly generated licenses. Older Appian Operator versions trust only the previous signing key and cannot validate licenses generated after the signing key rotation.

Affected Versions

This article applies to all supported versions of Appian on Kubernetes.

Last reviewed: July 2026

Related
Recommended