ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Token Signing Certificate Expiry


Article ID: 98292


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We recently replaced an expired Certificate from the CDS, and we'd like to know how to do it without
having a down time. We've observed recently that changing an expired certificate needed a downtime.

How can we avoid a downtime ?


Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP


At first glance, from Policy Server and AdminUI 12.6, you can add a 
"secondary certificate" in order to avoid downtime when the 
certificate needs to be replaced. 

Signature and Encryption Configuration for Federated Partnerships 

Select an alias from the certificate data store for the Verification 
Certificate Alias field. This field indicates which certificate 
verifies signed authentication requests or single logout requests or 
responses. If there is no certificate in the certificate data store, 
click Import to import one. 

(Optional) Select another alias from the certificate data store for 
the Secondary Verification Certificate Alias field. 

If verification of a signed authentication or logout request fails 
using the primary verification certificate alias, the IdP uses this 
secondary verification alias. If the certificate is not already in the 
certificate data store, click Import to import one. When secondary 
certificates are configured or updated for an active partnership, the 
run time automatically picks up the changes. You do not need to flush 
the cache manually from the UI for the changes to take effect. 

  (Optional) Select another alias from the certificate data store for the Secondary Verification Certificate Alias field.


Additional Information

Further reading related to the topic :

  Port Federation Certificate Management Enhancement from SSO 

  To benefit from that functionality, you'll need to upgrade your 
  environment to at least 12.6. We recommend you to upgrade to 12.8.