Local Certificate - use both SHA-1 and SHA-256?

We have been using the component for several years, strictly for SP-initiated SSO, and 3 years ago we self-generated a SHA-1 certificate that all of our Partners are using. Now we have a potential Partner that requires our cert be SHA-256, and I can’t find a way to configure this. It seems like the LocalCertificateFile that is defined at the top of the saml.config file is the only place where this cert can be defined, and only for a single value. I don’t see a per-Partner property or configuration option, so I’m wondering if this is not possible or if I’m just missing it.

We want to migrate our cert to SHA-256 later this year regardless, so it seems reasonable to be able to use more than one signing cert at a time for that purpose as well. Is there a way to do this?

thank you.

Jeff Woodie

Hi Jeff,
Yes, this certainly is possible. The LocalCertificateFile can be specified on the / as well as the /. If specified for a particular partner, that certificate is used for that partner. Otherwise, the certificate specified for your / is used. In other words, a LocalCertificateFile specified as part of a partner configuration overrides any LocalCertificateFile for the local provider configuration. The primary purpose of this configuration is to support a staggered roll out of a new certificate.
Please refer to the “Certificate Rollover” section of our Certificate Guide for more details.

Perfect, thank you for pointing me in the right direction.

You’re welcome.