hi, "packing your keys in long-lived, self-signed certificates is the preferred way to go" https://spaces.at.internet2.edu/display/federation/saml-metadata-cryptographic-keys alan