SAML signing and encryption uses AM's secret stores functionality as of AM 7. See Security Guide › Mapping and Rotating Secrets for further information on managing these secrets.
AM uses a JCEKS keystore as its default keystore. The default location is: /path/to/openAM/keystore.jceks. You can change this by navigating to: Configure > Server Defaults > Security > Key Store > Keystore File.
It is recommended that you back up your keystore.jceks, .keypass and .storepass files before making any changes.
- Delete the expired certificate from the hosted IdP or SP keystore using the following command: $ keytool -delete -noprompt -alias [alias] -keystore [keystore] -storepass [password]replacing [alias], [keystore] and [password] with appropriate values.
- Import the new certificate into the hosted IdP or SP keystore using the following command: $ keytool -v -importkeystore -srckeystore [sourcekeystore] -srcstoretype PKCS12 -srcstorepass [sourcepassword] -destkeystore [keystore] -deststoretype [type] -deststorepass [password] -alias [alias]replacing [sourcekeystore], [sourcepassword], [keystore], [type], [password] and [alias] with appropriate values. The alias must match the alias of your expired certificate.
- Update the X.509 certificate in the hosted IdP or SP keystore using the following ssoadm command: $ ./ssoadm update-entity-keyinfo -u [adminID] -f [passwordfile] -y [entityID] -b [IdPsigningalias] -g [IdPencryptionalias]replacing [adminID], [passwordfile], [entityID], [IdPsigningalias] and [IdPencryptionalias] with appropriate values.
- Restart the web application container in which AM runs to apply these changes.
- Ensure any other applicable entity providers have also been updated with the new metadata. For AM based entity providers, use this article for hosted entity providers and see How do I renew expired certificates for a remote IdP or SP in AM (All versions)? for remote entity providers. You can share updated metadata with other entity providers by exporting the metadata data to an XML file or by providing a URL as detailed in How do I export and import SAML2 metadata in AM (All versions)?
If you have generated a self-signed certificate, it is not automatically trusted by other applications. In order to trust the new certificate, you need to export it from your keystore file and import it into the cacerts file for your Java installation. By default, your JVM keystore will be in your JAVA_HOME/JRE/lib/security/cacerts. Detailed steps are available in Installation Guide › Using Self-Signed Certificates.