SAML Signing Certificate Renew Procedure
Overview
This article describe the procedure how to rotate IdP (Shibboleth) certificate renew action as well the impact on Service Providers (NetScaler, StoreFront, or any other service configured via SAML protocol) which are configured.
Once the new signing certificate is updated to Veridium service, the Service Provider will not accept anymore the SAML assertion issued by Veridium IdP.
Renew the Signing Certificate
Once the new certificate is available (issued from Enterprise PKI), it must be uploaded to Veridium through Admin Management Console.
In Settings \ Connectors \ SAML, admin can access SAML IdP configuration
There are 2 options how to upload the new certificate.
(Best Practice) In PKCS#12 format, password protected.
PKCS#12 (also known as PKCS12 or PFX) is a common binary format for storing a certificate chain and private key in a single, encryptable file, and usually have the filename extensions .p12 or .pfx.
In order to do, please check “Enable PFX” toggle button as in picture bellow, which will switch the user interface to the upload form in this format.
If the Private Key and Public Key are available in PEM format, there is the option to upload as individual files as well.
PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
Save action will submit the new certificate and Veridium IdP will reload automatically to use the new certificate.
Update the Service Providers
Manually update
If Service Provider has been configured by upload of idp_metadata.xml file, this action must be done during the same change session as Renew IdP certificate.
Veridium administrator must download the new metadata file (see picture bellow) and distribute to other services.
Automatic Update
If Service Provider was configured to automatically update the IdP Metadata, no further action is required. The metadata URL will publish immediately after Renew the certificate, the new information at
https://<idp service name>/idp/shibboleth
Citrix Storefront
Citrix StoreFront SAML configuration allow to specify multiple IdP keys. That makes possible to configure the new Public Key of signing certificate and StoreFront will accept both signatures (old and news).
Import the new Public Key to Machine Certificate Store
Edit the SAML Configuration - Identity Provider
Add the new Certificate thumbprint
Now, the StoreFront will accept both signatures.
Cleanup should be done after the certificate is renewed in IdP Veridium and the old certificate is not in use anymore.