Key rollover docs/procedure

Brian Biggs biggsb at
Fri Sep 13 09:59:21 EDT 2019


We have run into a situation that may require us to perform a key rollover
in our IdP (v3.4.4). I've been looking for a "how to" or documentation
specific to performing this task, but I've been unable to find anything

If folks here could point me to any kind of docs or reference materials I
would be very grateful.

For background, the specific situation is:

An SP we work with (Ex Libris) upgraded their SP to Java 11, which by
default does not like our signing cert. The error they sent me is: SAML
failure 20: Certificate is not valid.  Cause: Algorithm constraints check
failed on signature algorithm: MD5withRSA.

They have requested that we upgrade our cert to meet their (suddenly,
without notice) new security standards. I flat out told them no, so after
some discussion their dev team did something (I'm guessing they adjusted
the java security settings, but they are not telling me), and now we are
working again, temporarily.

After some discussion with my director, we decided that it may be in our
best interest, in the long run, to move forward with a controlled key
rollover, so that this issue doesn't bite us in the future with other SPs.

Hopefully we can convince Ex Libris to keep this temporary work around in
place until we have planned and can properly execute this key rollover.

Lead Identity Mgmt/Systems Integration
Information Technology
Sonoma State University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list