Menu
▾
▴
[Unity-idm-discuss] Certificate rollover for SAML
|
From: Sander A. <sa....@fz...> - 2018-07-17 06:12:00
|
Hi Krzysztof, we have to renew our certificate, used for SAML signing and en/decryption. We want to add a second one to propagate it to the IdPs and remove the old one later. Switch has a good explanation about our goals [1]. I configured a second certificate: unity.pki.credentials.ROLLOVER.format=pkcs12 unity.pki.credentials.ROLLOVER.path=/PATH/TO/keystore.p12 unity.pki.credentials.ROLLOVER.keyAlias=NEW-ALIAS unity.pki.credentials.ROLLOVER.password=MY-SUPER-PASSWORD Restart unity and add the second cert in requester credentials: unity.saml.requester.requesterCredential=MAIN;ROLLOVER When I reload the authenticator, the process hung up. No second cert was stored in metadata. I must remove the second cert from requester credentials and restart unity to get the system running again. I saw no issues in logs. Is this purpose possible? Or must I replace the cert in a timeslot where I expect only few user to propagate the new cert? Best regards, Sander [1]: https://www.switch.ch/aai/guides/sp/certificate-rollover/ -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
