Menu
▾
▴
Re: [Unity-idm-discuss] Certificate rollover for SAML
|
From: Krzysztof B. <kb...@un...> - 2018-07-19 21:31:24
|
Hi Sander, W dniu 17.07.2018 o 08:11, Sander Apweiler pisze: > Hi Krzysztof, > > we have to renew our certificate, used for SAML signing and > en/decryption. We want to add a second one to propagate it to the IdPs > and remove the old one later. Switch has a good explanation about our > goals [1]. > > I configured a second certificate: > unity.pki.credentials.ROLLOVER.format=pkcs12 > unity.pki.credentials.ROLLOVER.path=/PATH/TO/keystore.p12 > unity.pki.credentials.ROLLOVER.keyAlias=NEW-ALIAS > unity.pki.credentials.ROLLOVER.password=MY-SUPER-PASSWORD > > Restart unity and add the second cert in requester credentials: > unity.saml.requester.requesterCredential=MAIN;ROLLOVER > > When I reload the authenticator, the process hung up. No second cert > was stored in metadata. I must remove the second cert from requester > credentials and restart unity to get the system running again. I saw no > issues in logs. > > Is this purpose possible? Or must I replace the cert in a timeslot > where I expect only few user to propagate the new cert? I'm not sure if I've got your intention. requesterCredential setting is used to select which certificate you use for signing/decryption. You can use only one. However if you want, you can prepare your own metadata, including two certificates (current and future). Then you wait for the new metadata to be propagated (what is your federation dependent). After new certificate is loaded in metadata of all peers in the federation, you can make a real switch: change requesterCredential to the new one. And you can remove the old one (soon to be expired) from metadata to clean up the environment. HTH Krzysztof |
