IDP 3.4.3 Expiring Signing Certtificate Rollover

Thomas, Richard C. rcthomas at
Tue Feb 4 18:57:32 EST 2020

Have SPs pointing to expiring signing cert point to new cert when they receive updated IDP metadata.
From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Tuesday, February 4, 2020 5:38:35 PM
To: Shib Users <users at>
Subject: RE: IDP 3.4.3 Expiring Signing Certtificate Rollover

WARNING: This email originated from outside of UTMB's email system. Do not click links or open attachments unless you recognize the sender and know the content is safe.

> I have verified that old and new signing cert works but only one at a time
> depending on which bean is not commented out or which bean is first within
> util:list in credentials.xml

What exactly are you expecting to happen? Any given security and signing configuration is going to use exactly one key, and other than exceptional cases involving different key types, there's no concept of picking a key based on anything other than a local decision over which key to use.

> Haven't found other documentation.

Controlling credentials is documented in [1]

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list