Regenerating Key/Certificate Pairs

IdP versions 2.3 and later

If you need to regenerate the key material that your IdP uses to communicate with other SPs (for instance because of key compromise or Federation Operator's restrictions), you can do so by using a variant of the installation script.

  1. Change into the IdP distribution directory, shibboleth-identityprovider-VERSION. This is the directory you created when you installed or last updated the IdP.
  2. Run either ./install.sh renew-cert (on Unix systems) or install.bat renew-cert (on Windows systems).
  3. Respond to the prompts appropriately.
  4. Restart the IdP

The new private key, long lived certificate, and keystore files will be generated with the file name suffix '.new'. Once you're ready to use them - after you have updated the IdP's metadata to include the new certificate and published the result - copy them over the existing files that don't have the '.new' suffix.

The lifetime of the generated certificate can be changed from the default by setting the environment variable IdPCertLifetime to the number of years lifetime required before you run the script.