Pivotal Application Service UAA service holds a certificate which signs outbound communication to external SAML Identity Provider. This certificate has a 2 year expiration period and requires regeneration after this time.

This certificate is used to sign SAML authentication request sent to an Identity Provider - it is sent for extra security and impact of rotated certificate will depend on validation of IdP

Prerequisites

SAML Service Provider Credentials should only have an impact if the answer is all 'yes' to these questions:

1. Are you using SSO in production for apps?
2. If yes, are you using SAML Identity Providers for SSO service plans?
3. If yes, did you have Operations Manager generate a certificate for you? (this is done by using the Generate RSA Certificate button in Operations Manager)
4. If yes, are you validating the signature of SAML authentication request on the Identity provider side?

Validate expiration time of certificate:

For Pivotal Application Service >= 1.11.x, navigate to: 
Pivotal Application Service > UAA > SAML Service Provider Credentials

For Pivotal Application Service <= 1.10.x, navigate to: 
Pivotal Application Service > Authentication & SSO > Service Provider Credentials 

Copy the contents of the certificate into a temporary file. (for example test.pem)

Execute the following command to validate the expiration time on the certificate.

# openssl x509 -enddate -noout -in test.pem
notAfter=Dec  7 21:01:04 2017 GMT

Alternatively, you can follow steps to check by OpsManager API in article: https://discuss.pivotal.io/hc/en-us/articles/115015525088-PCF-Advisory-Internal-certificates-expire-2-years-after-installation

$ curl "https://OPS-MAN-FQDN/api/v0/deployed/certificates?expires_within=6m" \
-H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"

Find the certificate with property uaa.service_provider_key_credentials and validate expiration:

example:
"field "property_reference":".uaa.service_provider_key_credentials"..."valid_until":"2019-06-14T11:37:11Z"

Rotating SAML Service Provider Credential certificate

If the certificate is nearing expiration then it needs to be regenerated.

This will only be disruptive if Pivotal Application Service is configured to use SSO / SAML and IdP is validating the requests, in which case a new certificate will need to be imported to the IDP.

Perform the following steps:

1. Arrange for IdP admin to be available before certificate expiration occurs.
2. Disable cert validation on IdP end.
3. Generate new certificate on production by clicking `generate` option under SAML Service Provider Credential:
4. Import the new certification to your IdP:
   https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcfThese step will vary depending on which SAML provider that you are using:
   If using ADFS, see: https://docs.pivotal.io/p-identity/1-3/adfs/config-adfs.html
   If using CA SSO, see: https://docs.pivotal.io/p-identity/1-3/ca-sso/config-ca-sso.html
   If using OKTA, see: https://docs.pivotal.io/p-identity/1-3/okta/config-okta.html
   If using PingFederate, see: https://docs.pivotal.io/p-identity/1-3/pingfederate/config-pingfederate.html
5. Re-enable certification validation on IdP.
6. Validate system functionality

Guide to importing certificates to SSO provider, https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcf

Reference to using OpsManager API, https://docs.pivotal.io/pivotalcf/1-10/customizing/ops-man-api.html

Reference guide on rotating and regenerating certs in PCF https://docs.pivotal.io/pivotalcf/1-12/security/pcf-infrastructure/api-cert-rotation.html