How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I renew expired certificates for a hosted IdP or SP in AM 5.x or 6.x?

Last updated Jun 16, 2022

The purpose of this article is to provide information on renewing expired X.509 signing certificates for a hosted IdP or SP (entity provider) for SAML2 Federation in AM.


2 readers recommend this article

Overview

SAML signing and encryption uses AM's secret stores functionality as of AM 7. See Mapping and Rotating Secrets for further information on managing these secrets. 

Pre-AM 7

AM uses a JCEKS keystore as its default keystore. The default location is: /path/to/openAM/keystore.jceks. You can change this by navigating to: Configure > Server Defaults > Security > Key Store > Keystore File.

Note

It is recommended that you back up your keystore.jceks, .keypass and .storepass files before making any changes.

Updating certificates

  1. Delete the expired certificate from the hosted IdP or SP keystore using the following command: $ keytool -delete -noprompt -alias [alias] -keystore [keystore] -storepass [password]replacing [alias], [keystore] and [password] with appropriate values.
  2. Import the new certificate into the hosted IdP or SP keystore using the following command: $ keytool -v -importkeystore -srckeystore [sourcekeystore] -srcstoretype PKCS12 -srcstorepass [sourcepassword] -destkeystore [keystore] -deststoretype [type] -deststorepass [password] -alias [alias]replacing [sourcekeystore], [sourcepassword], [keystore], [type], [password] and [alias] with appropriate values. The alias must match the alias of your expired certificate. 
  3. Update the X.509 certificate in the hosted IdP or SP keystore using the following ssoadm command: $ ./ssoadm update-entity-keyinfo -u [adminID] -f [passwordfile] -y [entityID] -b [IdPsigningalias] -g [IdPencryptionalias]replacing [adminID], [passwordfile], [entityID], [IdPsigningalias] and [IdPencryptionalias] with appropriate values.
  4. Restart the web application container in which AM runs to apply these changes.
  5. Ensure any other applicable entity providers have also been updated with the new metadata. Use this article for hosted entity providers and see How do I renew expired certificates for a remote IdP or SP in AM (All versions)? for remote entity providers.

You can share updated metadata with other entity providers by exporting the metadata data to an XML file or by providing a URL as detailed in How do I export and import SAML2 metadata in AM (All versions)?

Caution

If you have generated a self-signed certificate, it is not automatically trusted by other applications.  In order to trust the new certificate, you need to export it from your keystore file and import it into the cacerts file for your Java installation. By default, your JVM keystore will be in your JAVA_HOME/JRE/lib/security/cacerts. Detailed steps are available in Using Self-Signed Certificates.

See Also

How do I rollover certificates for an IdP or SP in AM 5.x or 6.x?

How do I update the certificate alias for the signing key in the AM (All versions) keystore?

How do I renew expired certificates for a remote IdP or SP in AM (All versions)?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

How do I export and import SAML2 metadata in AM (All versions)?

FAQ: SAML certificate management in AM 5.x and 6.x

SAML v2.0 Guide

Setting Up Keys and Keystores

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.