When running an AdminUI, how to change a certificate for a Partnership that is due to be renewed in soon?
Policy Server acts as Identity Provider (IdP)
At first glance, from the Siteminder documentation, it's recommended to use the functionality "Secondary Verification Certificate Alias" (1).
From the Knowledge database, other alternatives to update that certificate are also possible (2)(3).
(1)
Signature and Encryption Dialog (SAML 2.0 IdP)
Secondary Verification Certificate Alias(Optional)
Specifies a second certificate alias for a certificate in the
certificate data store. If verification of a signed authentication
request fails using the verification certificate alias, the IdP
uses this secondary verification alias. Specifying a secondary
alias is useful if an SP rolls over its signing certificate. A
rollover can occur for any reason, such as when a certificate
expires, a private key is compromised, or the private key size
changes. If the certificate is not already in the certificate data
store, click Import to import one. When secondary certificates
are configured or updated for an active partnership, the run time
automatically picks up the changes. You do not need to flush the
cache from the UI for the changes to take effect.
(2)
Recommended approach to renew an expiring sign certificate in AdminUI
(3)
Expiring SP certificate on IDP Federation Partnership renewal