ComponentSpace

Forums



Question on certificate rollover


Question on certificate rollover

Author
Message
mwolfe
mwolfe
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 5, Visits: 32
We are a service provider to multiple identity providers. I am questioning how to support rollout of an updated service provider certificate to all our identity providers.

Your documentation states:
“To support phased rollout of a new certificate, it could be specified as the local certificate for the local provider and the old certificate is specified as the local certificate for each partner provider. As partner providers are ready to switch to the new certificate, the local certificate specifications for these partner providers are removed so that the new certificate is then used.”

So is that saying that if a local certificate (or old certificate) is specified for each partner provider, it will use the old certificate until they have told us that they want to use the new certificate and we remove the local certificate reference from the partner provider. Is this correct? If so, this seems like a very manual process having to coordinate with the identity providers (in our case) on when they are ready to use the new certificate.

Is there any way to use the new certificate and if it fails, use the old certificate so there is more of a seamless rollover?


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Your understanding is correct.

I'm not sure how this process could be automated easily. We would have to receive notification from the identity provider that they're ready to roll over to the new SP certificate. This isn't something supported by the SAML specification.

If you're using self-signed certificates for SAML, the validity period can be longer than a typical SSL certificate and so the frequency of having to do this is reduced.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search