search cancel

Renew signing partnership certificates in AdminUI and Policy Server

book

Article ID: 243672

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running an AdminUI, how to change a certificate for a Partnership that is due to be renewed in soon?

 

Environment

 

Policy Server acts as Identity Provider (IdP)

 

Resolution

 

At first glance, from the Siteminder documentation, it's recommended to use the functionality "Secondary Verification Certificate Alias" (1).

From the Knowledge database, other alternatives to update that certificate are also possible (2)(3).

 

Additional Information

 

(1)

    Signature and Encryption Dialog (SAML 2.0 IdP)

      Secondary Verification Certificate Alias(Optional) 

      Specifies a second certificate alias for a certificate in the
      certificate data store. If verification of a signed authentication
      request fails using the verification certificate alias, the IdP
      uses this secondary verification alias. Specifying a secondary
      alias is useful if an SP rolls over its signing certificate. A
      rollover can occur for any reason, such as when a certificate
      expires, a private key is compromised, or the private key size
      changes. If the certificate is not already in the certificate data
      store, click Import to import one.  When secondary certificates
      are configured or updated for an active partnership, the run time
      automatically picks up the changes. You do not need to flush the
      cache from the UI for the changes to take effect.

 

(2)

    Recommended approach to renew an expiring sign certificate in AdminUI
 

(3)

  
    Expiring SP certificate on IDP Federation Partnership renewal