Expiring IDP signing certificate
Cantor, Scott
cantor.2 at osu.edu
Fri Jun 3 16:46:16 UTC 2022
On 6/3/22, 12:36 PM, "users on behalf of Ullfig, Roberto Alfredo via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> For some SPs we coordinated with their service technicians on the day of the changeover.
When you're dealing with a key rollover, you don't really have "a day", that's not the best way to approach it.
You deploy both keys at once. In the initial phase, you generally start by adding the new key as a second, migrate broken SPs as you go along, and eventually you hit the point where every SP is either tagged to use the old or new key, and you're ready to flip the default key. And then you spend more weeks and months migrating anything still tagged to use the old key until you're finally off it.
I did an example of mechanically how to do some aspects of this, though it's ultimately an organic and somewhat locally-dependent process.
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/2986475557/MetadataDrivenConfigurationExamples
-- Scott
More information about the users
mailing list