Saml certificate renew vs. revoke & replace

This topic contains 2 replies, has 3 voices, and was last updated by  Peter Major 2 months, 1 week ago.

  • Author
    Posts
  • #24378
     mei.li@usaa.com 
    Participant

    I thought Certificate renewal should be different process from certificate revoking
    &replacemnt. For SAML certificate renewal, if we updated keystore with new certificate used by ForgRock IDP before expiration date, must all SPs immediate get new public key? Can each SP get public key at different time without causing problems? If not, what’s difference of renewal from revoking&replace?

    Thanks

    Mei

    #24398
     xinlian 
    Participant

    No difference. For renew cert, you need to remove the old and replace the new one. And if your all SPs depend on 1 IDP, then yes, all SPs must immediate get new public key

    Regards,
    Xin

    #24399
     Peter Major 
    Moderator

    You can also roll over your keys by simply adding the new key to the list of aliases on the hosted entity. The remote entities then can pull the new metadata that contains the >1 keydescriptors. Once you know that the new key has been propagated, you can remove the old key from the alias list.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?