Home Forums CA Single Sign-On What is the best procedure for renewal of certificate?

Tagged: 

This topic contains 8 replies, has 2 voices, and was last updated by  ujwols 8 months, 1 week ago.

  • Author
    Posts
  • #627

    Dhilip
    Participant

    Hi Ujwol,

    Could you please let me know what is the best/recommended procedure for renewal of certificate?

    I have referred the following thread: https://communities.ca.com/thread/241749172

    I guess using ‘Update Certificate’ from the WAMUI is the best option. But, my doubt is in case if I need to rollback (because of some issues), Will I be able to use the same procedure(to update with old certificate) or will it perform any validation, thus will not allow to update (with old cert because of date validation)?

    Regards,
    Dhilip

  • #630

    ujwols
    Keymaster

    Hi Dhilip,

    If we are talking about best/recommended approach for certificate renewal, then it is:

    1. Deactivate partnership.
    2. Import new certificate with new alias.
    3. Update partnership to use new certificate.
    4. Activate partnership.

    The only downside of this approach is there will be downtime during this process.

    The procedure mentioned in the thread you reffered to may give uncertain result.

    Having said that this is now lot easier to maintain with 12.8 onwards as it now provides option to have 2 certs, one primary and other backup. So even if the primary cert expires the partnership will fallback to use secondary cert.

  • #646

    Dhilip
    Participant

    Hi Ujwol,

    Unfortunately, we are not using Parterhsip Federation, we are using Legacy federation in my enterprise.

    During the last certificate renewal activity, they have followed the below procedure.
    1. Pre-installed the certificate in the CDS under a different alias(Alias3).
    2. Rename old certificate(Alias1) to different alias(Alias2).
    3. Rename the new certificate(Alias3) with actual certificate alias name(Alias1).

    For the time being, we were not facing any issues with this approach. (Note: We are using these certs only for signing)

    Now, I am doing a feasibility check to use partnership federation in future. While exporting the sample entity, I could see that it has CA.FED::Certificate.Alias=Alias1 and CA.CDS::Certificate.Alias=Alias2. So, I am trying to find a proper way to renew the certificate. I guess using ‘Update Certificate’ from the WAMUI is the best option (to avoid these problems).

    But, my doubt is in case if I need to rollback (because of some issues), Will I be able to use the same procedure(to update with old certificate) or will it perform any validation, thus will not allow to update (with old cert because of date validation)?

  • #648

    ujwols
    Keymaster

    Hi Dhilip,

    The procedure I outlined is applicable for legacy federation also.

    Regards,
    Ujwol

  • #649

    Dhilip
    Participant

    Ujwol,

    Thanks for your response. But, if we import the certificate with new alias, we may have to change hundreds of SAML service providers as currently these are using defaultenterpriseprivatekey. Is there a way to avoid these?

    • #650

      ujwols
      Keymaster

      Hi Dhilip,

      Unfortunately, that is how it is and this is the only recommended approach.

      But as per the thread your referred, that also seems to work , though not officially recommended.

      Regards,
      Ujwol

  • #652

    Dhilip
    Participant

    Hi Ujwol,

    Thanks for your thoughts.

    Certificate which I am trying to renew is our IDP signing certificate. I could see that in the thread (which I referred earlier), you have mentioned the below lines.
    “I guess your procedure will work only if the cert is being used for Signing”

    1) In the future, in case, if we have a requirement to use the same certificate for encryption as well, will we face an issue? Could you please provide your opinion?

    2) CA’s recommended approach(for our case) is to import new certificate with different alias and change the Alias (to new alias instead of empty/defaultenterpriseprivatekey) in all the SAML service providers. Could you please confirm if my understanding is correct?

  • #735

    Dhilip
    Participant

    Ujwol,

    I guess my previous question was wrong as we will be using SP’s public certificate for configuring encryption (from our end). So, I am rephrasing my first question.

    1) Could you please let me know if there will be any drawback with the approach which we are using?

    2) CA’s recommended approach(for our case) is to import new certificate with different alias and change the Alias (to new alias instead of empty/defaultenterpriseprivatekey) in all the SAML service providers. Please confirm if my understanding is correct.

    Thanks.

    • #738

      ujwols
      Keymaster

      1) Could you please let me know if there will be any drawback with the approach which we are using?

      Updating any existing certs needs to deactivate the partnership/legacy federation first and there is also a chance that if anything goes wrong you may not have a backup to revert.

      2) CA’s recommended approach(for our case) is to import new certificate with different alias and change the Alias (to new alias instead of empty/defaultenterpriseprivatekey) in all the SAML service providers. Please confirm if my understanding is correct.

      Yes, even if this is a long process it is the safest procedure as it also provides a way to restore to old certificate/alias if something goes wrong.

You must be logged in to reply to this topic.