Token Signing Certificate Expiry

Document ID : KB000098292
Last Modified Date : 07/06/2018
Show Technical Document Details
Question:
We recently replaced an expired Certificate from the CDS, and we'd like to know how to do it without
having a down time. We've observed recently that changing an expired certificate needed a downtime.

How can we avoid a downtime ?
Answer:
At first glance, from Policy Server and AdminUI 12.6, you can add a 
"secondary certificate" in order to avoid downtime when the 
certificate needs to be replaced. 

Signature and Encryption Configuration for Federated Partnerships 

Select an alias from the certificate data store for the Verification 
Certificate Alias field. This field indicates which certificate 
verifies signed authentication requests or single logout requests or 
responses. If there is no certificate in the certificate data store, 
click Import to import one. 

(Optional) Select another alias from the certificate data store for 
the Secondary Verification Certificate Alias field. 

If verification of a signed authentication or logout request fails 
using the primary verification certificate alias, the IdP uses this 
secondary verification alias. If the certificate is not already in the 
certificate data store, click Import to import one. When secondary 
certificates are configured or updated for an active partnership, the 
run time automatically picks up the changes. You do not need to flush 
the cache manually from the UI for the changes to take effect. 

  (Optional) Select another alias from the certificate data store for the Secondary Verification Certificate Alias field. 
  https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/partnership-federation/signature-and-encryption-configuration-for-federated-partnerships

 
Additional Information:
Further reading related to the topic :

  Port Federation Certificate Management Enhancement from SSO 
  https://communities.ca.com/ideas/235738112 

  To benefit from that functionality, you'll need to upgrade your 
  environment to at least 12.6. We recommend you to upgrade to 12.8.