Hi there,
Our software is a SP, we let customers authenticate to our service using their own IdPs. We are using the high level API and we have a local certificate we are (I believe) signing messages with. However, this certificate is about to expire so we want to switch over to our new certificate. In the local service provider configuration, you can specify more than 1 local certificate. However, it makes sense that it would only use 1 certificate to sign the messages. You would only use multiple certificates if you were trying to decrypt a message (I believe).
Am I correct in assuming that it signs the messages only with the first certificate you specify in the LocalCertificates section, and it ignores the rest?
Your understanding is correct. The first certificate is used for signing. Multiple certificates only make sense for decrypting.
Also note that you can specify local certificates on the partner identity provider configurations as well. If this is done, these certificates are used instead of the certificate(s) in the local service provider configuration. This helps with staggering the roll out of your certificate to the various partner identity providers.
More information may be found in our Certificate Guide.
https://www.componentspace.com/Forums/8238/Certificate-Guide