SAML certs updates with vendors

Document ID : KB000102873
Last Modified Date : 20/06/2018
Show Technical Document Details
Introduction:
We have Public Certificate at IDP expiring soon. And it's been in use by more than 100 vendors (at SP side).  Is there a quick way to make this SAML 2.0 certificate update? Doing update one by one in a Partnership seems very impractical.
 
Background:
This environment involves Federation Partnership with more than 100 Service Providers, and a single IDP. When IDP Public Certificate is expiring, a new certificate needs to be shared with the Service Providers, which they can do by sharing the exported metadata. But, the IDP partnerships, more than 100, need to fetch the correct updated certificate, which implies updating the Certificate Data Store with the updated IDP Public certificate.
Environment:
CA SSO R12.52SP1
Federation Partnership
More than 100 Service Providers, Single IDP
Instructions:
Your partnership has public certificate that is expiring soon. You want to replace it with a new certificate. You don't want to change all the partnerships, instead you want to make the change in the CDS (Certificate Data Store). 

The following can be tested first in the lower environment.

0. Turn on CDS log, for AdminUI and for the Policy Server, so in case you need to troubleshoot, you have some clues as to what may have gone wrong. 

Certificate Data Store (CDS) Logging 
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/logs-for-administrating-ca-sso-components/certificate-data-store-logging 

1. Import the renewed cert using AdminUI with some dummy name - currentcertrenewed 

2. Rename the current cert which is going to expire to some new name 
./smkeytool.sh -renameAlias -alias <currentcert_alias> -newalias currentcertexpired 

3. Flush SM / Policy Server Cache ALL. 

To keep the same alias you can do this: 

4. Rename the renewed cert (currentcertrenewed) to current cert alias 
./smkeytool.sh -renameAlias -alias <currentcert_alias> -newalias currentcert 

5. Flush SM / Policy Server Cache ALL. 

6. List the certificates from you CDS using ./smkeytool.sh to make sure you have all the needed certificates. 

You can refer to these links if you need help with syntax etc. 

Smkeytool: 
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/policy-server-tools/ca-siteminder-key-tool 

CDS Logging 
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/logs-for-administrating-ca-sso-components/certificate-data-store-logging