InCommon metadata support

[Tom Scavo <>]

On Thu, May 26, 2016 at 11:57 AM, Brad MacDonald
<>
 wrote:
> Thanks Tom.  Unfortunately it can not.

I'm afraid that's the answer to your original question. If your
software does not support multiple decryption keys, it's not possible
to migrate an encryption certificate in metadata without loss of
service.

Tom

> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Tom Scavo
> Sent: Thursday, May 26, 2016 11:27 AM
> To: 
> 
> Subject: Re: [Metadata-Support] Question on updating metadata with new 
> certificates
>
> Hi Brad,
>
> On Thu, May 26, 2016 at 10:31 AM, Brad MacDonald 
> <>
>  wrote:
>>
>> I’ve been reading the documentation on the site for a few days now but
>> I’m still not sure how we can update our certificates successfully
>> without potentially causing a service interruption to our clients.  We
>> currently have one certificate that used for both signing and
>> encryption.  We would like to replace this with two new certificates,
>> one for signing and another for encryption.  It seems as though all
>> the documentation around this points to replacing one cert for
>> another, not how to replace one certificate with two.  Can anyone
>> provide any guidance on how to achieve this with causing the least
>> amount of disruption? I’ve been reading this article in particular
>>
>> https://spaces.internet2.edu/display/InCFederation/SP+Cert+Migration
>
> Well, if you follow the procedure documented on that page, there will be no 
> service disruption. However, that assumes that your SAML software can be 
> configured with two decryption keys. Can it?
>
> Tom