IdP Signing Certificate question

Cantor, Scott cantor.2 at
Thu Jan 21 19:29:24 UTC 2021

On 1/21/21, 2:14 PM, "users on behalf of Andrew Jason Morgan" <users-bounces at on behalf of morgan at> wrote:

>    Is it possible to generate a new, self-signed cert using a modern signing algorithm such as SHA-256 from the same
> private key?


>  If so, won't data signed/encrypted with the private key still be able to be validated/decrypted by the SP which has the
> new cert?

This is about signing, encryption is in the other direction, and it's the opposite, whether an SP with the old certificate will continue to work if the new one is included in the signature's KeyInfo element. The certificate has nothing to do with the math of signing or encrypting data, that's about the key alone.

But the answer is that there is exactly one SAML implementation with a fully documented and standardized answer, and that answer is yes. The answer for everything else is "maybe" and the answer for much of it is "no", they compare the certificates or certificate fingerprints in ways that defeat such a change.

-- Scott

More information about the users mailing list