Expiring SP certificate on IDP Federation Partnership renewal
search cancel

Expiring SP certificate on IDP Federation Partnership renewal


Article ID: 102461


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)



A Service Provider (SP) certificate has been configured for verification on the Identity Provider (IDP) Partnership which is about to expire.

How to renew the certificate on the Identity Provider (IDP)?




  1. Turn on CDS log (1), for AdminUI and for the Policy Server, so in case you need to troubleshoot, some clues will be available to explain what may have gone wrong. 
  2. Import the renewed cert using Adminui with some dummy name - currentcertrenewed 
  3. Rename the current cert which is going to expire to some new name (2)

    ./smkeytool.sh -renameAlias -alias currentcert -newalias currentcertexpired

  4. Flush Policy Server Cache ALL
  5. Rename the renewed cert (currentcertrenewed) to the current cert name

    ./smkeytool.sh -renameAlias -alias currentcertrenewed -newalias currentcert

  6. Flush Policy Server Cache ALL
  7. List the certificates from you CDS using ./smkeytool.sh to make sure all the needed certificates are present.


Flush All usually works well and reloads certificate information but in case if some failed federation messages are seen due to certificate errors, advise is to restart the Policy Server to avoid any confusion with cached certificates.


Additional Information



    Certificate Data Store (CDS) Logging