Tech Tip – How to check which federation objects are using a given certificate

USE CASE : How do we get a list of FEDRATION Objects which is using a given certificate. We need this to identify the list of FeDERATION confIguration which needs to be updated with the renewed certificate once the current certifice expires.

Any CA SSO version.

  1. Login to Admin UI and navigate to X509 Certificate Management –> Trusted Certificates and Private Keys. Then, sort the certificates by “Expiration Date”  to identify the alias for the certificates which are going to expire soon. Let’s say in the following screen, we have identified the certificate “idpfeb2018” is the one which is going to expire soon expiring_cert
  2. Next, perform a full xpsexport of the policy store using following command :

    [text]XPSExport fullexport.xml -xb -pass <password> [/text]

  3. Now, run SmPolicyReader tool. Then, click File –> Open Policy store from File and select the policy store export file from above step.smpolicyreader
  4. Next, navigate to Fed –> CA.FED.Certificate and select the certificate alias that we identified earlier.smpolicyreader_fedcert
  5. Now, to identify all the references to this certificate click the “References” tab on the right bottom smpolicyreader_referencesAs you can see above, this screen list the object which is referencing this certificate. You can double click to get into the actual object. From the screenshot above, we have now identified that this particular certificate is used by two partnership and it is being used as signing certificate.
  6. Let’s now verify this from Admin UI.partnershippartnership_signingcert
  1. SmPolicyReader download link : (download build 464 or later)

Starting CA SSO 12.7 and above, it now has a new feature called “View Object Dependencies“. Using this feature you can find the dependent federation object for a given certificate directly from Admin UI.



Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.