We recently replaced an expired Certificate from the CDS, and we'd like to know how to do it withouthaving a down time. We've observed recently that changing an expired certificate needed a downtime.
How can we avoid a downtime ?
At first glance, from Policy Server and AdminUI 12.6, you can add a"secondary certificate" in order to avoid downtime when thecertificate needs to be replaced.
Signature and Encryption Configuration for Federated Partnerships
Select an alias from the certificate data store for the VerificationCertificate Alias field. This field indicates which certificateverifies signed authentication requests or single logout requests orresponses. If there is no certificate in the certificate data store,click Import to import one.
(Optional) Select another alias from the certificate data store forthe Secondary Verification Certificate Alias field.
If verification of a signed authentication or logout request failsusing the primary verification certificate alias, the IdP uses thissecondary verification alias. If the certificate is not already in thecertificate data store, click Import to import one. When secondarycertificates are configured or updated for an active partnership, therun time automatically picks up the changes. You do not need to flushthe cache manually from the UI for the changes to take effect.
(Optional) Select another alias from the certificate data store for the Secondary Verification Certificate Alias field.
Further reading related to the topic :
Port Federation Certificate Management Enhancement from SSO https://communities.ca.com/ideas/235738112
To benefit from that functionality, you'll need to upgrade your environment to at least 12.6. We recommend you to upgrade to 12.8.
KB : KB000098292