Multiple certificates doing both signing+encryption

Cantor, Scott cantor.2 at
Tue Nov 2 21:00:23 UTC 2021

On 11/2/21, 4:23 PM, "users on behalf of Jay Athalye" <users-bounces at on behalf of jay.athalye at> wrote:

>    I assume this is not best practice - and I am working towards marking one of them as "use=encryption".

Other than complicating rollover there isn't really any particular good or bad about any of it. SPs don't even need signing keys unless they intend to support logout.

>    But I am curious about which cert is used for signing in this case? Is it the first cert in the config without the
> "use" attribute?

If there's no other constraint or configuration involved, yes.

-- Scott

More information about the users mailing list