Renew signing partnership certificates in AdminUI and Policy Server
search cancel

Renew signing partnership certificates in AdminUI and Policy Server


Article ID: 243672


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)



When running an AdminUI, how to change a certificate for a Partnership that is due to be renewed in soon?




Policy Server acts as Identity Provider (IdP)




At first glance, from the Siteminder documentation, it's recommended to use the functionality "Secondary Verification Certificate Alias" (1).

From the Knowledge database, other alternatives to update that certificate are also possible (2)(3).


Additional Information



    Signature and Encryption Dialog (SAML 2.0 IdP)

      Secondary Verification Certificate Alias(Optional) 

      Specifies a second certificate alias for a certificate in the
      certificate data store. If verification of a signed authentication
      request fails using the verification certificate alias, the IdP
      uses this secondary verification alias. Specifying a secondary
      alias is useful if an SP rolls over its signing certificate. A
      rollover can occur for any reason, such as when a certificate
      expires, a private key is compromised, or the private key size
      changes. If the certificate is not already in the certificate data
      store, click Import to import one.  When secondary certificates
      are configured or updated for an active partnership, the run time
      automatically picks up the changes. You do not need to flush the
      cache from the UI for the changes to take effect.



    Recommended approach to renew an expiring sign certificate in AdminUI


    Expiring SP certificate on IDP Federation Partnership renewal