SAML certs updates with vendors


Article ID: 102873


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We have Public Certificate at IDP expiring soon. And it's been in use by more than 100 vendors (at SP side).  Is there a quick way to make this SAML 2.0 certificate update? Doing update one by one in a Partnership seems very impractical.

This environment involves Federation Partnership with more than 100 Service Providers, and a single IDP. When IDP Public Certificate is expiring, a new certificate needs to be shared with the Service Providers, which they can do by sharing the exported metadata. But, the IDP partnerships, more than 100, need to fetch the correct updated certificate, which implies updating the Certificate Data Store with the updated IDP Public certificate.


CA SSO R12.52SP1
Federation Partnership
More than 100 Service Providers, Single IDP


Your partnership has public certificate that is expiring soon. You want to replace it with a new certificate. You don't want to change all the partnerships, instead you want to make the change in the CDS (Certificate Data Store). 

The following can be tested first in the lower environment.

0. Turn on CDS log, for AdminUI and for the Policy Server, so in case you need to troubleshoot, you have some clues as to what may have gone wrong. 

Certificate Data Store (CDS) Logging 

1. Import the renewed cert using AdminUI with some dummy name - currentcertrenewed 

2. Rename the current cert which is going to expire to some new name 
./ -renameAlias -alias <currentcert_alias> -newalias currentcertexpired 

3. Flush SM / Policy Server Cache ALL. 

To keep the same alias you can do this: 

4. Rename the renewed cert (currentcertrenewed) to current cert alias 
./ -renameAlias -alias <currentcert_alias> -newalias currentcert 

5. Flush SM / Policy Server Cache ALL. 

6. List the certificates from you CDS using ./ to make sure you have all the needed certificates. 

!!! Flush All usually works well and reloads certificate information but in case if you are seeing failed federation due to certificate errors, advise is to restart the Policy Server to avoid any confusion with cached certificates.

You can refer to these links if you need help with syntax etc. 


CDS Logging