How To

How do I change the Signing Key for Federation in OpenAM 13.x?

Last updated Jan 5, 2021

The purpose of this article is to provide information on changing the Signing Key for Federation in OpenAM. This information applies to changing SAML2 and OAuth certificates if you are using XUI.

1 reader recommends this article

This article has been archived and is no longer maintained by ForgeRock.

Changing the signing key

The default 'test' certificate alias used for SAML2 and OAuth signing keys is also used by the XUI and for REST authentication in OpenAM.


If you have multiple servers in a site, you can clone the keys and certificates by exporting and re-importing to another keystore or by simply copying the keystore across. The aliases in the keystores don't have to match providing each server points to the right aliases for its own keystore.

The JKS keystore is used in OpenAM 13; a new JCEKS keystore type was introduced in OpenAM 13.5, which is used by default for new OpenAM 13.5 installations. If you have upgraded to OpenAM 13.5, the JKS keystore is still used by default. See OpenAM 13.5 Release Notes › Smarter Security Features for further information about the JCEKS keystore.

The keystore type affects the process used to change the signing key as follows:

See Also

Unable to login to OpenAM 13.x console or access REST API after changing the Federation Signing Key 

How do I update the certificate alias for the signing key in the AM (All versions) keystore?

FAQ: SAML certificate management in AM 6.x

idmdude - How to Configure OpenAM Signing Keys

Related Training


Related Issue Tracker IDs

OPENAM-6824 (Procedure To Change the Signing Key for Federation results in being locked out of XUI)

OPENAM-6003 (value for 'iplanet-am-auth-key-alias' should be checked when saving)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.