Refresh, Renew, or Replace Certificates

Abstract

This page describes refreshing, renewing, or replacing Infinite BrassRing Platform and your organization's Identity Provider SSO certificates.

Single Sign-On depends on trusted communication between an Identity Provider and a Service Provider and the trust of the communication is maintained by the exchanged public certificates. Security or Encryption certificates are usually valid for a maximum 3 years and would be required to be refreshed or renewed when they are about to expire. Certificates can be refreshed in advance of the expiry date. Infinite BrassRing Platform automatically uses the new certificate, if available, when an existing certificate expires.

When a client's IdP system's certificate is refreshed, the client needs to update their IdP's certificate in their Infinite BrassRing Platform environment.

Important

The certificate must be in base64 format.

Similarly, when the Infinite BrassRing Platform certificate is refreshed, the client needs to update the TS certificate in their IdP system.

Infinite BrassRing Platform Certificate Refresh for your organization’s Identity Provider

In advance of a Infinite BrassRing Platform SSO Certificate expiring, a communication is sent to clients that use SSO. The communication includes details about when the new certificate activates, how to obtain the new certificate, when the old one expires, the steps that might need to be taken by the clients, and what changes might occur in the metadata file, if any.

Client admins are required to make this update in their own IdP system. A typical process is:

1. Download the new Infinite BrassRing Platform certificate. The download location is included in the communication.

2. Plan the update of the Infinite Infinite BrassRing Platform certificate in your IdP.

   • New certificates can be added to Infinite BrassRing Platform at any time before to the expiration of the current certificates.

   • It is recommended to not delete the old certificates until after they expire.

   • If your organizations IdP can only hold one certificate at a time, the update must be made shortly before or after the expiration time and date.

   • It is recommended to update the staging environment before updating the production environment.

3. Replace the expiring certificate with the new one.

4. Verify that SSO is working.

Identity Provider Certificate Refresh in Infinite BrassRing Platform

Refreshing a certificate requires the Administrator to add a new certificate alongside the existing expiring certificate. Adding a certificate in this way refreshes the existing certificate and avoids expiration.

When a client identity provider system's certificate, Signing or Encryption, is about to expire, Infinite BrassRing Platform administrators must find the expiring certificate on the Infinite BrassRing Platform Admin SSO Inbound page to add the new certificate.

There are two certificates available. When the existing active certificate expires, it can be removed. Infinite BrassRing Platform automatically uses the new certificate and ignores the expired one; however, it is recommended to remove the expired one to avoid any future confusion.

Process

1. Log in to Infinite BrassRing Platform as an SSO Administrator and select the Application Launcher → Admin.
   

   

2. Select Menu → SSO → Inbound.

   

3. The Edit Inbound SSO configuration page opens.

   1. To refresh or renew an expiring certificate, locate the certificate that needs to be refreshed in the Signing Certificate or Encryption Certificate sections.

      

      1. Drop the new certificate into the appropriate section or select Or select file manually and upload the new certificate from your computer.

      2. Select Show Details to view the certificate details.

   2. To replace a revoked certificate, locate the certificate that needs to be renewed in the Signing Certificate or Encryption Certificate section.

      1. Select Show Details for the certificate to view and verify the certificate's serial number.

      2. Drop the new certificate into the section or select Or select file manually and upload the new certificate from your computer. After certificates are updated, it can take 5 minutes in the Staging environment or 15 minutes in the Production environment to sync the changes. Errors might appear if testing is done before these time periods elapse.

   3. For more information on the fields and certificates on this page, see Configure Talent Suite Service Provider (SP) Inbound SSO.

4. Repeat Step 3a or Step 3b for all certificates that need to be refreshed, or replaced, and select Submit.

5. If a parsing error is encountered when the new certificate is submitted, see Resolving the SSO Certificate Parsing Error.