This page describes the process of certificate rollover for Shibboleth Identity Providers. The procedure described below allows replacing certificates without any service disruptions.
In SWAMID default installation we have both an Encryption and a Signing certificate.
Step 0 : Create new certificate
Skall de skapa nytt eller skall vi beskriva Autorullning eller båda ?
Step 1 : Add key to xxxxx
Görs det automatiskt
Step 2 : Upload new Metadata
ADFS normally publish new signing-certs in the step and rolls the encryption-cert in step 4!!!
- Upload the XML from https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml to metadata.swamid.se/admin.
- Remove the SP / IdP part if the ADFS isn't going to be used as both roles.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity
- Request publication.
- Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
Step 3 : Wait for the ADFS to switch signing cert internally
Kan ni skriva något bra hur man ser det ?
Step 4 : Upload new Metadata again
ADFS should now have removed the old signing cert in XML and replaced the encryption cert in https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml
- Upload the XML from https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml to metadata.swamid.se/admin.
- Remove the SP / IdP part if the ADFS isn't going to be used as both roles.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity
- Request publication.
- Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.