IdP Signing Certificate question

Brian Biggs biggsb at
Thu Jan 21 16:40:50 UTC 2021


I have finally reached the bottom of the rabbit hole. I have inherited an
IdP that is using a signing cert that was signed by our (very old) internal
CA cert that contains an MD5 signature algorithm. This is causing problems
with some of our SPs who are trying to validate the cert. I have been
unable to convince said SPs that they do not need to validate.

So, my question is: If I generate a new self-signed IdP signing cert using
the existing IdP signing key, then drop that new cert into our metadata,
will SPs who have the old metadata continue to work? Obviously we'd be
distributing the new metadata to our SPs as quickly as possible, but the
process will take some time.

Follow up question: Is there a "best practice" for what key length and
digest hashing algorithm to use for an IdP signing cert? I'm guessing 2048
and sha256 are the minimum, but will going to 4096 and sha512 likely cause
interoperability issues with some SPs?

Thank you in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list