From 346d50209c27511a688d946bc3eb6df9a6bb1065 Mon Sep 17 00:00:00 2001
From: David Boslee <david@goteleport.com>
Date: Thu, 22 Jan 2026 12:51:08 -0500
Subject: [PATCH 1/2] keystore: expose health check config in config file

---
 lib/config/configuration.go | 1 +
 lib/config/fileconf.go      | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/lib/config/configuration.go b/lib/config/configuration.go
index da8b3b9a985fb..a46255dd3e2ed 100644
--- a/lib/config/configuration.go
+++ b/lib/config/configuration.go
@@ -1065,6 +1065,7 @@ func applyKeyStoreConfig(fc *FileConfig, cfg *servicecfg.Config) error {
 	if fc.Auth.CAKeyParams.AWSKMS != nil {
 		return trace.Wrap(applyAWSKMSConfig(fc.Auth.CAKeyParams.AWSKMS, cfg))
 	}
+	cfg.Auth.KeyStore.HealthCheck = fc.Auth.CAKeyParams.HealthCheck
 	return nil
 }
 
diff --git a/lib/config/fileconf.go b/lib/config/fileconf.go
index 75f9f103bcd8f..676d4c8f0983b 100644
--- a/lib/config/fileconf.go
+++ b/lib/config/fileconf.go
@@ -935,6 +935,8 @@ type CAKeyParams struct {
 	// AWSKMS configures AWS Key Management Service to to be used for
 	// all CA private key crypto operations.
 	AWSKMS *AWSKMS `yaml:"aws_kms,omitempty"`
+	// HealthCheck contains configuration for keystore health checking.
+	HealthCheck *servicecfg.KeystoreHealthCheck `yaml:"health_check,omitempty"`
 }
 
 // PKCS11 configures a PKCS#11 HSM to be used for private key generation and

From 587b5b29523efa4ca346bb372dd67e002fe25a14 Mon Sep 17 00:00:00 2001
From: David Boslee <david@goteleport.com>
Date: Thu, 22 Jan 2026 14:04:48 -0500
Subject: [PATCH 2/2] test health checking config is applied

---
 lib/config/configuration_test.go | 38 ++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/lib/config/configuration_test.go b/lib/config/configuration_test.go
index ac73c41fc1eff..3b54433efe836 100644
--- a/lib/config/configuration_test.go
+++ b/lib/config/configuration_test.go
@@ -3414,6 +3414,44 @@ func TestApplyKeyStoreConfig(t *testing.T) {
 			},
 			errMessage: "must set keyring in ca_key_params.gcp_kms",
 		},
+		{
+			name: "enable health checking",
+			auth: Auth{
+				CAKeyParams: &CAKeyParams{
+					HealthCheck: &servicecfg.KeystoreHealthCheck{
+						Active: &servicecfg.KeystoreActiveHealthCheck{
+							Enabled: true,
+						},
+					},
+				},
+			},
+			want: servicecfg.KeystoreConfig{
+				HealthCheck: &servicecfg.KeystoreHealthCheck{
+					Active: &servicecfg.KeystoreActiveHealthCheck{
+						Enabled: true,
+					},
+				},
+			},
+		},
+		{
+			name: "disable health checking",
+			auth: Auth{
+				CAKeyParams: &CAKeyParams{
+					HealthCheck: &servicecfg.KeystoreHealthCheck{
+						Active: &servicecfg.KeystoreActiveHealthCheck{
+							Enabled: false,
+						},
+					},
+				},
+			},
+			want: servicecfg.KeystoreConfig{
+				HealthCheck: &servicecfg.KeystoreHealthCheck{
+					Active: &servicecfg.KeystoreActiveHealthCheck{
+						Enabled: false,
+					},
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {