IDP 3.4.3 Expiring Signing Certtificate Rollover

Rich Thomas rcthomas at
Tue Feb 4 18:33:23 EST 2020

Need to rollover IDP signing cert. Was carry over from IDP V2.

1. Added new signing cert/key pair to and defined expiring
certs associated with .2
idp.signing.key= %{idp.home}/credentials/idp-signing.key
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
idp.signing.key.2 = %{idp.home}/credentials/idp-signing-old.key
idp.signing.cert.2 = %{idp.home}/credentials/idp-signing-old.crt
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt

2. Added Cert to IDP metadata

3. Defined additional cert and key in credentials.xml following example for
the encryption key rollover defined in the file

<alias alias="shibboleth.SigningCredentials"
name="shibboleth.DefaultSigningCredential" />
	<util:list id="shibboleth.DefaultSigningCredential">
            p:entityId-ref="entityID" />
            p:entityId-ref="entityID" />

I have verified that old and new signing cert works but only one at a time
depending on which bean is not commented out or which bean is first within
util:list in credentials.xml

Not seeing any errors in logs. IDP authentication is working.

Haven't found other documentation.

Sent from:

More information about the users mailing list