Hi Cedric, One request.. as you are Gluu customer, can you ask your named contacts to add you in 'named contact' list? Otherwise, your ticket are being considered as 'community' without any SLA. Screenshot attached. >> Is there a documented procedure to renew it? Seems like it's not published yet in public doc. Will do it. Basically here is what you need to do: ``` - Backup your existing `idp-signing.crt` and `idp-signing.key` from Gluu-Server-container:/etc/certs location - Generate long term `idp-signing.crt` and `idp-signing.key`. We are using self signed cert and key. Command: `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout idp-signing.key -out idp-signing.crt` - Put these newly generated cert and key inside /etc/certs/ location. Make sure permission is `root:gluu` - Stop / Start Gluu-Server container ``` >> Is there any impact on the existing TR? Depends on SP, Some SP can deal with expired certs... some can't. It's better to renew. >> Do they have to re-import Gluu metadata file after renewal? Yes, they have to. And make sure to perform this update on a specified date and time; inform all SPs that you are going to update your cert on that day and time so they can import new cert accordingly. Otherwise, there might be a broad outage. >> Also, from your experience, does some SP (cloud based SP for example) require SAML certificated generated by a known CA? I haven't seen any who has such requirement. SAML cert are generally self signed cert and around 5 to 10 years valid.

Ok. 1- I assume I can generate new certs on node 1 and just copy them on node 2? 2- I've generated new idp-signing and idp-encryption certs in our lab environment, put them in /etc/certs, set the right permissions and restarted the Gluu container. I can see the new certs are reflected in the {domain}/idp/shibboleth URL but not in the GUI. Under Configuration -> Certificates, I still see a certificate expiring soon. Is it possible that cert is referring to shibIDP.crt?

Hello, Any update? P.S: there is not enough space in the named contact list for me, so will stick to community SLA.

>> 1- I assume I can generate new certs on node 1 and just copy them on node 2? Yes, that's correct. >> 2- I've generated new idp-signing and idp-encryption certs in our lab environment, put them in /etc/certs, set the right permissions and restarted the Gluu container. I can see the new certs are reflected in the {domain}/idp/shibboleth URL That's what the important check is. If you see updated cert in metadata, you are all good. One thing I must share with you ... Shibboleth cert update in Production is a critical task. Technically it's easy but you need to talk to your connected SP people before you move for cert update there. If they don't update cert on specific time; there will be outage. >> P.S: there is not enough space in the named contact list for me, so will stick to community SLA. Unfortunately, there is no SLA for community yet.