Skip to main content
Skip table of contents

SAML Signing Certificate Renew Procedure


This article describe the procedure how to rotate IdP (Shibboleth) certificate renew action as well the impact on Service Providers (NetScaler, StoreFront, or any other service configured via SAML protocol) which are configured.

Once the new signing certificate is updated to Veridium service, the Service Provider will not accept anymore the SAML assertion issued by Veridium IdP.

Renew the Signing Certificate

Once the new certificate is available (issued from Enterprise PKI), it must be uploaded to Veridium through Admin Management Console.

In Settings \ Connectors \ SAML, admin can access SAML IdP configuration

There are 2 options how to upload the new certificate.

  1. (Best Practice) In PKCS#12 format, password protected.

PKCS#12 (also known as PKCS12 or PFX) is a common binary format for storing a certificate chain and private key in a single, encryptable file, and usually have the filename extensions .p12 or .pfx.

In order to do, please check “Enable PFX” toggle button as in picture bellow, which will switch the user interface to the upload form in this format.

  1. If the Private Key and Public Key are available in PEM format, there is the option to upload as individual files as well.

PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).

Save action will submit the new certificate and Veridium IdP will reload automatically to use the new certificate.

Update the Service Providers

Manually update

If Service Provider has been configured by upload of idp_metadata.xml file, this action must be done during the same change session as Renew IdP certificate.

Veridium administrator must download the new metadata file (see picture bellow) and distribute to other services.

Automatic Update

If Service Provider was configured to automatically update the IdP Metadata, no further action is required. The metadata URL will publish immediately after Renew the certificate, the new information at

https://<idp service name>/idp/shibboleth

Citrix Storefront

Citrix StoreFront SAML configuration allow to specify multiple IdP keys. That makes possible to configure the new Public Key of signing certificate and StoreFront will accept both signatures (old and news).

Import the new Public Key to Machine Certificate Store

Import new Certificate

Edit the SAML Configuration - Identity Provider

Edit Identity Provider of the Citrix StoreFront

Add the new Certificate thumbprint

Now, the StoreFront will accept both signatures.

Cleanup should be done after the certificate is renewed in IdP Veridium and the old certificate is not in use anymore.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.