One request.. as you are Gluu customer, can you ask your named contacts to add you in 'named contact' list? Otherwise, your ticket are being considered as 'community' without any SLA. Screenshot attached.
>> Is there a documented procedure to renew it?
Seems like it's not published yet in public doc. Will do it.
Basically here is what you need to do:
- Backup your existing `idp-signing.crt` and `idp-signing.key` from Gluu-Server-container:/etc/certs location
- Generate long term `idp-signing.crt` and `idp-signing.key`. We are using self signed cert and key. Command: `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout idp-signing.key -out idp-signing.crt`
- Put these newly generated cert and key inside /etc/certs/ location. Make sure permission is `root:gluu`
- Stop / Start Gluu-Server container
>> Is there any impact on the existing TR?
Depends on SP, Some SP can deal with expired certs... some can't. It's better to renew.
>> Do they have to re-import Gluu metadata file after renewal?
Yes, they have to. And make sure to perform this update on a specified date and time; inform all SPs that you are going to update your cert on that day and time so they can import new cert accordingly. Otherwise, there might be a broad outage.
>> Also, from your experience, does some SP (cloud based SP for example) require SAML certificated generated by a known CA?
I haven't seen any who has such requirement. SAML cert are generally self signed cert and around 5 to 10 years valid.