IdP Signing Certificate question

Nate Klingenstein ndk at
Thu Jan 21 19:26:14 UTC 2021


> I want to understand this better...

Always a good impulse. :D

> Is it possible to generate a new, self-signed cert using a modern signing algorithm such as SHA-256 from the same private key?

Yes.  You can use the same keypair to generate a new CSR and then a new certificate and it will contain the same matching public key.  The point of confusion is that the public and private key must match.  You can check that using the modulus:

> If so, won't data signed/encrypted with the private key still be able to be validated/decrypted by the SP which has the new cert?

That depends on whether the SP trusts the new cert, but in general, yes.  It's the same keypair being used for all signing and validation purposes.

If you *swap out* the keypair for a new one, the story changes completely, and as Scott noted, breakage is more likely.

Take care,

More information about the users mailing list