Renewing certificates on windows installation

Morris, Andi amorris at
Mon Mar 4 06:51:10 EST 2013

Thanks Scott and Peter (and the Steve at the UK Federation helpdesk). I've got a much better idea of how the certificates tie in with the operations of Shibboleth now and am in a much better position to manage the renewal.


-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: 01 March 2013 17:00
To: Shib Users
Subject: Re: Renewing certificates on windows installation

On 3/1/13 10:12 AM, "Morris, Andi" <amorris at> wrote:

>Initially both, but I've worked out now that my external facing
>certificate is separate, and as such have renewed this successfully. I
>have generated the internal SAML certificate, replaced the existing
>private key and public crt files with the new ones (exactly the same
>file names and locations) and restarted both apache and tomcat services.

You really can't just go changing a signing key, that has operational implications and you'll break all kinds of things.

>I then remembered that I need to put the contents of the crt file
>inside my idp-metadata.xml file and replace this on any relevant SPs.
>After doing this I everything seems to be ok.

I guess you just dealt with the operational implications. As a rule, people don't take kindly to having their apps broken, so this causes a lot of grief.

You have to manage key changes with metadata and configuration strategies that avoid breakage, and usually combine that with a ton of hand holding of commercial partners that have to change keys on a fixed schedule.

>I am interested in the what has been said since I've been typing this
>though. Are you saying that the internal shibboleth certificate does
>not necessarily affect the service if it has expired? The person that
>setup Shibboleth at this site has since left, and he set this up with
>public certs, rather than the auto-generated self-signed certificates
>that last
>20 years (according to the docs).

There's no one answer to that question. Every deployment has specific trust models and partners to deal with that influence whether or not an expired signing cert will work, and what the implications of using non-self-signed certs will be. Coming in after the fact, you have no real way to get all that information except for a lot of legwork.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included have changed to All emails sent from Cardiff Metropolitan University will now be sent from the new address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<>

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys yn newid i Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<>

More information about the users mailing list