openkcm · jmpTeixeira02 · Mar 18, 2026 · Mar 27, 2026 · Mar 27, 2026 · Apr 17, 2026
diff --git a/apis/cmk/cmk-ui.yaml b/apis/cmk/cmk-ui.yaml
@@ -1894,9 +1894,6 @@ components:
         enabled:
           description: Flag indicating whether the Key is enabled
           type: boolean
-        isPrimary:
-          description: Flag indicating whether this Key is the primary (default) key for its associated key configuration.
-          type: boolean
         accessDetails:
           $ref: "#/components/schemas/KeyAccessDetails"
       additionalProperties: false
@@ -2239,6 +2236,11 @@ components:
           type: string
           maxLength: 4096
           example: This Key Configuration is used for connecting with Systems in Europe.
+        primaryKeyID:
+          description: The ID of the primary key of the configuration
+          type: string
+          format: uuid
+          example: 12345678-90ab-cdef-1234-567890abcdef
       additionalProperties: false
     KeyConfigurationKeyAdd:
       type: object

diff --git a/cmd/task-worker/main.go b/cmd/task-worker/main.go
@@ -154,7 +154,7 @@ func registerTasks(
 	certManager := manager.NewCertificateManager(ctx, r, svcRegistry, cfg)
 	tenantConfigManager := manager.NewTenantConfigManager(r, svcRegistry, cfg)
 	tagManager := manager.NewTagManager(r)
-	keyConfigManager := manager.NewKeyConfigManager(r, certManager, userManager, tagManager, cmkAuditor, cfg)
+	keyConfigManager := manager.NewKeyConfigManager(r, certManager, userManager, tagManager, cmkAuditor, eventFactory, cfg)
 	keyManager := manager.NewKeyManager(
 		r, svcRegistry, tenantConfigManager, keyConfigManager, userManager, certManager, eventFactory, cmkAuditor)
 	systemManager := manager.NewSystemManager(ctx, r, nil, eventFactory, svcRegistry, cfg, keyConfigManager, userManager)

diff --git a/cmd/tenant-manager-cli/cli_test.go b/cmd/tenant-manager-cli/cli_test.go
@@ -79,7 +79,7 @@ func (s *CLISuite) SetupSuite() {
 	cm := manager.NewCertificateManager(ctx, r, svcRegistry, cfg)
 	um := manager.NewUserManager(r, cmkAuditor)
 	tagm := manager.NewTagManager(r)
-	kcm := manager.NewKeyConfigManager(r, cm, um, tagm, cmkAuditor, cfg)
+	kcm := manager.NewKeyConfigManager(r, cm, um, tagm, cmkAuditor, eventFactory, cfg)
 
 	sys := manager.NewSystemManager(
 		ctx,

diff --git a/cmd/tenant-manager-cli/commands/commands.go b/cmd/tenant-manager-cli/commands/commands.go
@@ -46,7 +46,7 @@ func NewCommandFactory(
 	cm := manager.NewCertificateManager(ctx, r, svcRegistry, cfg)
 	um := manager.NewUserManager(r, cmkAuditor)
 	tagm := manager.NewTagManager(r)
-	kcm := manager.NewKeyConfigManager(r, cm, um, tagm, cmkAuditor, cfg)
+	kcm := manager.NewKeyConfigManager(r, cm, um, tagm, cmkAuditor, eventFactory, cfg)
 
 	sys := manager.NewSystemManager(
 		ctx,

diff --git a/cmd/tenant-manager/main.go b/cmd/tenant-manager/main.go
@@ -134,7 +134,7 @@ func createTenantManager(
 	um := manager.NewUserManager(r, cmkAuditor)
 
 	tagm := manager.NewTagManager(r)
-	kcm := manager.NewKeyConfigManager(r, cm, um, tagm, cmkAuditor, cfg)
+	kcm := manager.NewKeyConfigManager(r, cm, um, tagm, cmkAuditor, eventFactory, cfg)
 
 	sys := manager.NewSystemManager(
 		ctx,

diff --git a/internal/api/cmkapi/cmkapi.go b/internal/api/cmkapi/cmkapi.go
diff --git a/internal/apierrors/key.go b/internal/apierrors/key.go
@@ -80,14 +80,6 @@ var key = []errs.ExposedErrors[*APIError]{
 			Status:  http.StatusInternalServerError,
 		},
 	},
-	{
-		InternalErrorChain: []error{manager.ErrPrimaryKeyUnmark},
-		ExposedError: &APIError{
-			Code:    "PRIMARY_KEY_UNMARK",
-			Message: "Primary key cannot be unmarked primary",
-			Status:  http.StatusForbidden,
-		},
-	},
 	{
 		InternalErrorChain: []error{manager.ErrGetKeyDB, gorm.ErrRecordNotFound},
 		ExposedError: &APIError{

diff --git a/internal/controllers/cmk/key_controller.go b/internal/controllers/cmk/key_controller.go
@@ -72,7 +72,7 @@ func (c *APIController) GetKeys(ctx context.Context,
 		Count: ptr.GetSafeDeref(request.Params.Count),
 	}
 
-	keys, total, err := c.Manager.Keys.GetKeys(ctx, ptr.PointTo(keyConfigID), pagination)
+	keys, total, err := c.Manager.Keys.GetKeys(ctx, keyConfigID, pagination)
 	if err != nil {
 		return nil, errs.Wrap(apierrors.ErrQueryKeyList, err)
 	}
@@ -134,16 +134,6 @@ func (c *APIController) GetKeysKeyID(ctx context.Context,
 func (c *APIController) UpdateKey(ctx context.Context,
 	request cmkapi.UpdateKeyRequestObject,
 ) (cmkapi.UpdateKeyResponseObject, error) {
-	if ptr.GetSafeDeref(request.Body.IsPrimary) {
-		required, err := c.Manager.Workflow.IsWorkflowRequired(ctx)
-		if err != nil {
-			return nil, err
-		}
-
-		if required {
-			return nil, apierrors.ErrActionRequireWorkflow
-		}
-	}
 	dbKey, err := c.Manager.Keys.UpdateKey(ctx, request.KeyID, *request.Body)
 	if err != nil {
 		return nil, errs.Wrap(apierrors.ErrUpdateKey, err)

diff --git a/internal/controllers/cmk/key_controller_test.go b/internal/controllers/cmk/key_controller_test.go
@@ -629,21 +629,29 @@ func TestKeyControllerDeleteKeysKeyID(t *testing.T) {
 
 	authClient := testutils.NewAuthClient(ctx, t, r, testutils.WithKeyAdminRole())
 
-	keyConfig := testutils.NewKeyConfig(func(_ *model.KeyConfiguration) {},
-		testutils.WithAuthClientDataKC(authClient))
+	keyConfig := testutils.NewKeyConfig(
+		func(k *model.KeyConfiguration) {},
+		testutils.WithAuthClientDataKC(authClient),
+	)
 
 	key := testutils.NewKey(func(k *model.Key) {
 		k.KeyConfigurationID = keyConfig.ID
 	})
 
-	keyConfigWSys := testutils.NewKeyConfig(func(_ *model.KeyConfiguration) {},
-		testutils.WithAuthClientDataKC(authClient))
+	pKeyID := uuid.New()
+	keyConfigWSys := testutils.NewKeyConfig(
+		func(k *model.KeyConfiguration) {
+			k.PrimaryKeyID = ptr.PointTo(pKeyID)
+		},
+		testutils.WithAuthClientDataKC(authClient),
+	)
 	sys := testutils.NewSystem(func(s *model.System) {
 		s.KeyConfigurationID = ptr.PointTo(keyConfigWSys.ID)
+		s.Status = cmkapi.SystemStatusCONNECTED
 	})
 	pkey := testutils.NewKey(func(k *model.Key) {
-		k.IsPrimary = true
 		k.KeyConfigurationID = keyConfigWSys.ID
+		k.ID = pKeyID
 	})
 
 	testutils.CreateTestEntities(
@@ -744,7 +752,10 @@ func TestKeyControllerUpdateKey(t *testing.T) {
 
 	authClient := testutils.NewAuthClient(ctx, t, r, testutils.WithKeyAdminRole())
 
-	kc := testutils.NewKeyConfig(func(_ *model.KeyConfiguration) {},
+	keyID := uuid.New()
+	kc := testutils.NewKeyConfig(func(k *model.KeyConfiguration) {
+		k.PrimaryKeyID = ptr.PointTo(keyID)
+	},
 		testutils.WithAuthClientDataKC(authClient))
 
 	sysFailed := testutils.NewSystem(func(sys *model.System) {
@@ -760,7 +771,7 @@ func TestKeyControllerUpdateKey(t *testing.T) {
 	})
 
 	key := testutils.NewKey(func(k *model.Key) {
-		k.IsPrimary = true
+		k.ID = keyID
 		k.CryptoAccessData = cryptoData
 		k.ManagementAccessData = json.RawMessage("{\"test\":\"test\"}")
 		k.KeyConfigurationID = kc.ID
@@ -847,21 +858,10 @@ func TestKeyControllerUpdateKey(t *testing.T) {
 			expectedName:   "",
 			expectedDesc:   "",
 		},
-		{
-			name:  "Should error on unmark primary key",
-			keyID: key.ID.String(),
-			input: cmkapi.KeyPatch{
-				IsPrimary: ptr.PointTo(false),
-			},
-			expectedStatus: http.StatusForbidden,
-			expectedName:   "",
-			expectedDesc:   "",
-		},
 		{
 			name:  "Should code 403 on management role update",
 			keyID: key.ID.String(),
 			input: cmkapi.KeyPatch{
-				IsPrimary: ptr.PointTo(false),
 				AccessDetails: &cmkapi.KeyAccessDetails{
 					Management: &map[string]any{
 						"a": "b",
@@ -906,14 +906,6 @@ func TestKeyControllerUpdateKey(t *testing.T) {
 			expectedName:   "updated-key",
 			expectedDesc:   "updated description",
 		},
-		{
-			name:  "Should 403 when update primary key and workflow is required",
-			keyID: key.ID.String(),
-			input: cmkapi.KeyPatch{
-				IsPrimary: ptr.PointTo(true),
-			},
-			expectedStatus: http.StatusForbidden,
-		},
 	}
 
 	for _, tt := range tests {

diff --git a/internal/controllers/cmk/keyconfiguration_controller.go b/internal/controllers/cmk/keyconfiguration_controller.go
@@ -132,10 +132,28 @@ func (c *APIController) GetKeyConfigurationByID(
 }
 
 // UpdateKeyConfigurationByID updates a key configuration by ID
+//
+//nolint:nestif
 func (c *APIController) UpdateKeyConfigurationByID(
 	ctx context.Context,
 	request cmkapi.UpdateKeyConfigurationByIDRequestObject,
 ) (cmkapi.UpdateKeyConfigurationByIDResponseObject, error) {
+	if request.Body.PrimaryKeyID != nil {
+		required, err := c.Manager.Workflow.IsWorkflowRequired(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		if required {
+			kc, err := c.Manager.KeyConfig.GetKeyConfigurationByID(ctx, request.KeyConfigurationID)
+			if err != nil {
+				return nil, err
+			}
+			if kc.PrimaryKeyID != nil && *kc.PrimaryKeyID != *request.Body.PrimaryKeyID {
+				return nil, apierrors.ErrActionRequireWorkflow
+			}
+		}
+	}
 	keyConfig, err := c.Manager.KeyConfig.UpdateKeyConfigurationByID(ctx, request.KeyConfigurationID, *request.Body)
 	if err != nil {
 		return nil, err