Shibboleth SPv3: checking how to rollover the signing key

Peter Schober peter.schober at
Fri Mar 13 08:48:27 EDT 2020

* Gernot Hassenpflug <gernot.hassenpflug at> [2020-03-13 12:32]:
> This is the first time for us to try and rollover a signing key, as
> opposed to an encryption key.

Unless you have specific requirements in your authentication requests
that must remain intact signing those probably doesn't buy you
anything. Are you even signing those?
And if you're not currently signing your authn requests the only thing
left so sign for the SP is SLO messages. Do you even support SLO in
your SP?

There are a few resources available that explain the concepts in
different terms (which you could find by searching for those), maybe
those are more helpful?

But for signing it should be rather simple: If your SP signs anything
the recipient of that messag must already have the public key in order
to verify the signature. So first publish a new cert with use=signing,
wait for propagation (or propagate manually, if required), then switch
the software from signing with the old key to signing with the new
key. Done. (Cleanup later by removing the old key from metadata.)


More information about the users mailing list