Federation Manager Guide › Key and Certificate Management to Secure Federation Messages › Update Certificates in the Certificate Data Store

Update Certificates in the Certificate Data Store

You can update key/certificate pairs and standalone certificates in the following ways:

• Update an expiring trusted certificate by deleting the existing certificate and importing a new trusted certificate. The new certificate must match the expiring certificate in the certificate data store.
• Update the certificate by importing a signed trusted certificate or a PKCS7-signed response. The new certificate must match the expiring certificate in the certificate data store.
• Update a certificate with a certificate from a PKCS#12 file. The new private key and certificate pair must match the expiring key/certificate pair in the certificate data store.

The new certificate must be valid before Federation Manager can use it to update an expiring certificate. Certificates are updated and become available immediately after they are imported. If the new certificate is not valid, as determined by its validity interval, Federation Manager cannot use the new certificate.

To import only a trusted certificate, use a certificate file that has a PEM or DER encoding. The standard extension for files of these types is *.crt or *.cer. If the file ends in .p12 or .pfx, it is processed as a certificate data store file containing key/certificate pairs. Finally, if a file ends in .p7 or .p7b, it is processed as a signed response file. Anything else is treated as a certificate file, and Federation Manager tries to load a certificate from it.

Note: If you update certificates for a federated environment, you do not have to update any federation objects using the expiring certificates.