Replacing Signing Key with trusted certificate

This topic contains 5 replies, has 2 voices, and was last updated by  Peter Major 8 months, 2 weeks ago.

  • Author
  • #22762

    I am leading the security SSO RnD work at my workplace and I have the evaluation version of openAm installed. I am stuck with the following situation.

    We can get the SSO flow working and saml response signed with ‘test’ certificate, however my goal is to replace the default ‘test’ certificate with our ‘internalIdentityCertificate’.

    The keystore.jceks file contains our ‘internalIdentityCertificate’ however I can’t see this certificate in the dropdown IDP/Assertion Content/Signing and Encryption/CertificateAliases.

    I would highly appreciate any help/suggestion on this.


    • This topic was modified 8 months, 2 weeks ago by  dhruvb.
     Peter Major 

    After updating the keystore, you should restart the container so that the new aliases are made available. Also keep in mind that if you just replace the private key stored under the “test” alias, you will need to resave the federation configuration to pick up the new certificate and update the standard metadata.


    Hello Peter Major,

    I have restarted the container. I haven’t replace the ‘test’ alias all I have done is added an entry within the keystore.jceks by importing ‘internalIdentity’.crt. The keystore now contains 11 entries instead of 10 default ones as expected however, the dropdown doesn’t pick this new alias when creating new Hosted Identity Provider.

    But for existing IDP I can manually enter this new certificate alias to match the entry in the keystore.jceks and happily gets saved. But when I try to SSO flow again with this new signing certificate alias I get

    libSAML2:07/20/2018 05:38:03:645 PM BST: Thread[http-apr-7778-exec-10,5,main]: TransactionId[8497c67d-2b9d-4538-ba0c-1885d002f17e-1020111]
    ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.
    com.sun.identity.saml2.common.SAML2Exception: Null input.
    at com.sun.identity.saml2.common.QuerySignatureUtil.verify(
    at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(
    libSAML2:08/08/2018 10:14:22:207 AM BST: Thread[http-apr-7778-exec-3,5,main]: TransactionId[01719746-dc96-4a7b-9d80-6e76f265d9c6-9045]
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: The private key was null.

     Peter Major 

    You should try to list the contents of the keystore, if your alias maps to a trustedCertificate instead of a privateKeyEntry, then that’s your problem.


    Yes, here is the list yes the alias is trustedCertificate instead of privateKeyEntry how shall I resovle this ?
    es384test, 03-Feb-2017, PrivateKeyEntry,

    selfserviceenctest, 18-Mar-2016, PrivateKeyEntry,

    es256test, 03-Feb-2017, PrivateKeyEntry,

    dsameuserpwd, 08-Aug-2018, SecretKeyEntry,

    rsajwtsigningkey, 24-May-2016, PrivateKeyEntry,

    directenctest, 23-May-2018, SecretKeyEntry,

    selfservicesigntest, 23-May-2018, SecretKeyEntry,

    test, 03-Apr-2018, PrivateKeyEntry,

    configstorepwd, 08-Aug-2018, SecretKeyEntry,

    identitykey, 07-Aug-2018, trustedCertEntry

     Peter Major 
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?