IdP Signing Certificate question

Cantor, Scott cantor.2 at
Thu Jan 21 17:58:51 UTC 2021

On 1/21/21, 12:52 PM, "users on behalf of Brian Biggs" <users-bounces at on behalf of biggsb at> wrote:

>    Just to be clear, what I'm hearing is that keeping our private key and changing our public key doesn't buy us anything as
> far as keeping SPs working during a transition. Is that right?

You can't change one and not the other. You're confusing a new certificate with a new public key, that's not how it works. The keypair is a unit. Issuing a new certificate for the same public key is what you're talking about.

It buys a lot, but nothing is universal. Whether that's enough is subjective. I have never been faced with the question but no, you cannot just reissue it. That's going to break plenty of stuff. Just much less than changing the key.

>    So we might as well generate new public and private keys and work on a coordinated cutover with all our SPs...

If you're going to do that, then the result at the end should be:

- A key protected in such a way that the chances of anything short of outright compromise of server memory should not cause it to be at risk. To me that means it should not be accessible on disk at runtime or ever backed up outside of a very controlled process.

- A tagging/metadata-based strategy for controlling the key used by all broken services so that a future change can be automated for all the non-broken services and the broken ones controlled on an individual basis.

Such a nightmarish task has to lead to very tangible benefits to be worthwhile.

-- Scott

More information about the users mailing list