Question:
We recently replaced an expired Certificate from the CDS, and we'd like to know how to do it without
having a down time. We've observed recently that changing an expired certificate needed a downtime.
How can we avoid a downtime ?
Answer:
At first glance, from Policy Server and AdminUI 12.6, you can add a
"secondary certificate" in order to avoid downtime when the
certificate needs to be replaced.
Signature and Encryption Configuration for Federated Partnerships
Select an alias from the certificate data store for the Verification
Certificate Alias field. This field indicates which certificate
verifies signed authentication requests or single logout requests or
responses. If there is no certificate in the certificate data store,
click Import to import one.
(Optional) Select another alias from the certificate data store for
the Secondary Verification Certificate Alias field.
If verification of a signed authentication or logout request fails
using the primary verification certificate alias, the IdP uses this
secondary verification alias. If the certificate is not already in the
certificate data store, click Import to import one. When secondary
certificates are configured or updated for an active partnership, the
run time automatically picks up the changes. You do not need to flush
the cache manually from the UI for the changes to take effect.
(Optional) Select another alias from the certificate data store for the Secondary Verification Certificate Alias field.
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/partnership-federation/signature-and-encryption-configuration-for-federated-partnerships
Additional Information:
Further reading related to the topic :
Port Federation Certificate Management Enhancement from SSO
https://communities.ca.com/ideas/235738112
To benefit from that functionality, you'll need to upgrade your
environment to at least 12.6. We recommend you to upgrade to 12.8.
KB : KB000098292