...
- Create the key and add it to the software to be able to decrypt incoming messages.
- Upload the new XML with the old cert (marked use=signing) and new cert without any use attribute to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
- All encrypted messages should now come with the new key and all Entites should now have out new Signing-key/cert. Switch in software to start signing with new key.
- Request removal of old cert via metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to stop using the old encryption cert/key.
- Disable / remove key from software.
Metadata during Key rollover
For information how the Metadata will look during each phase pleas see Metadata during Key rollover
Steps in different software
- Shibboleth IdP
- Shibboleth SP
- ADFS
- SimpleSAMLphp
Gamla sidor
...