This is one of a series of documents regarding the use of X.509 certificates in metadata. The following instructions are intended for InCommon Federation participants wishing to replace an old certificate with a new certificate in metadata. Such a migration process (or key rollover, as it is sometimes called) is required, for example, in the case of expired certificates.
Contents
| Table of Contents |
|---|
Getting Started
Start by reading the Key Usage topic and the sections below on Metadata Propagation and Implementation Support, which set the stage for certificate migration. If you're an IdP site administrator, continue by reading the article on Migrating a Certificate in IdP Metadata. SP site administrators, on the other hand, should read the article on Migrating a Certificate in SP Metadata instead.
...
For general information about certificate migration strategies, see the comprehensive document on key rollover.
...
Multiple Keys for One Entity
Some of the procedures documented on the child pages of this wiki page lead to a situation where there are multiple key descriptors per role descriptor in metadata. In particular, to migrate a signing key, two signing keys will appear in metadata for a time. This is required to avoid interoperability problems.
...