How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I renew expired certificates for a remote IdP or SP in AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on renewing expired X.509 signing certificates for a remote IdP or SP (entity provider) for SAML2 Federation in AM.


1 reader recommends this article

Updating certificates

Note

Step 1 in the following process is optional and is only needed if you have made lots of customizations to the extended metadata for the remote IdP or SP.

You can renew expired certificates as follows for a remote IdP or SP:

  1. Export the remote IdP or SP extended metadata, if required, using the following ssoadm command: $ ./ssoadm export-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2 -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityID] and [extendedXMLfile] with appropriate values.
  2. Delete the remote IdP or SP using the following ssoadm command: $ ./ssoadm delete-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID]replacing [adminID], [passwordfile], [realmname] and [entityID] with appropriate values.
  3. Import the remote IdP or SP using the following ssoadm command to re-create the entity provider: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values. You only need to import the extended metadata if you exported this in step 1.​
  4. Ensure any other applicable entity providers have also been updated with the new metadata. For AM-based entity providers, use this article for remote entity providers and see How do I renew expired certificates for a hosted IdP or SP in AM 5.x or 6.x? for hosted entity providers. You can share updated metadata with other entity providers by exporting the metadata data to an XML file or by providing a URL as detailed in How do I export and import SAML2 metadata in AM (All versions)?

See Also

How do I rollover certificates for an IdP or SP in AM 5.x or 6.x?

How do I renew expired certificates for a hosted IdP or SP in AM 5.x or 6.x?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

How do I export and import SAML2 metadata in AM (All versions)?

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.