Options for replacing expired service provider certificate with zero downtime?

My organization operates a service provider solution in a load balanced production environment that is live 24x7x365. The certificate associated with the service provider will expire soon and I am looking for the least intrusive way to replace the certificate.

Most ideally, I would like to be able to configure the service provider to accept both the old and the new certificate concurrently for a transition period, to give our partners an opportunity to update the certificate on their end. I could of course host a new version of the service provider at a different URL and ask our partners to switch to the new URL when they start using the new certificate, however this places an extra burden on them that I would like to avoid.

What other options do I have? Is there a way, either through the high-level API (which we’re currently using) or the low level API to allow for the service provider to accept multiple certificates concurrently? Any other suggestions? We’re currently specifying the service provider certificate using the “CertificateSubject” attribute of the “ServiceProvider” element in the saml.config file.

I’ve looked through the documentation and past questions but I don’t find anything relevant to this scenario of replacing expired certificates. Any assistance will be appreciated.



Hi Phil
We support the local service provider certificate being specified on the as well as the . This means that you can use a different certificate for each partner identity provider.
This support was added last year. Could you please contact support@componentspace.com mentioning this topic? We can check which version you have and provide an update if required.

Thanks I’ll contact support regarding the version as you suggest.

However will specifying the service provider certificate on the actually allow me to achieve a rollout in which I add support for a partner to use our new service provider certificate without breaking the ability of that same partner to use the old service provider certificate? That is what I would need to avoid having to precisely synchronize the update to our system with the update to the partner’s system.

The service provider certificate is used either to sign messages (eg sign the authn request sent during SP-initiated SSO) or decrypt SAML assertions.
The partner identity provider will use your certificate to verify signatures or encrypt assertions.
I’m not quite following what you mean about a partner identity provider using either your old or new certificate.
For signing, you will use whatever certificate (old or new) is configured for that partner identity provider.
For decryption there is scope that the partner identity provider is still using your old certificate and will transition to the new certificate at some stage.
In this instance I can see where being able to specify the old and new certificate would make sense. You don’t know when the partner identity provider will make the transition so an attempt to decrypt should be made using the old and new certificates.
Let me know if I understand your requirements. Thanks.

“You don’t know when the partner identity provider will make the transition so an attempt to decrypt should be made using the old and new certificates.” - yes, this is what I’m looking for. Is there a way to achieve it with ComponentSpace?

Currently we don’t include this functionality. However, this is something we can look at adding. Please contact support@componentspace.com so we can discuss a possible timeframe.