7. Key Rollover

To minimize interoperability issues, certificates should be long-lived and self-signed. Note that the security of the federation is based on the signing of the metadata and not on the certificate verification chain or the lifespan of the entity certificates. Signing and encryption certificates MUST NOT be expired


1. Create a new key pair that is compliant with the federation
2. Copy the existing metadata published in the federation and add a new KeyDescriptor element containing the certificate for the new key pair. Repeat this process for all KeyDescriptor elements, if applicable.
3. Upload the metadata to the federation. Read more about how to publish metadata on the federation website
4. Wait for the new metadata to be distributed and accepted by all relevant parties.
5. Configure the software to use the new private key
6. Remove the old KeyDescriptor element from the metadata and upload it to the federation.

Example metadata with old and new certificates.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://myhost.example.com/simplesaml/saml2/idp/metadata.php" ID="pfx797787f7-e5bd-acc6-89ef-4d120e679a48">
  <ds:Signature>
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx797787f7-e5bd-acc6-89ef-4d120e679a48">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>AzMFoTwyoKc0YHcPAaYl5jPIclE=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Srzu2vX2+FC6tTNH+vImIdvfo8fXuWbcF4vkL3NdiTB/ZU3HTmjKg3KkNLKxw/DbGznNdnmi16ImWOqtETSbYDGPUwhYM13PvQ+OIfogmurj5sNE57pa3sg/MEOJB80A7axXCUKsOV4CqLTDZNh/d7imiS2G4VB7Kmo9o0y1ZQtkV6U5LWO87Mw9rIj+D16KiB2HVIqq/cxOJBa4A7BoVuqJi3Qsc7rDjZK8b6e/EhP1QKgfAPwmTIp7K88mfUlD3/fKo9EP5haLuXxjLLKySIwgqR56sLEwHttHMZMPg83zeOLgaeT8+qVA0NeplsM+2c5y2/OMk8vM9Q6ix7eOfg==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">Example organization</md:OrganizationName>
    <md:OrganizationName xml:lang="sv">Exempel organisation</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example organization</md:OrganizationDisplayName>
    <md:OrganizationDisplayName xml:lang="sv">Exempel organisation</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">www.example.com</md:OrganizationURL>
    <md:OrganizationURL xml:lang="sv">www.example.com</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="technical" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
</md:EntityDescriptor>

  • No labels
Write a comment...