Certificate Rotation: Frequently Asked Questions

Frequently Asked Questions

• Identifying Certificate Files
  

• Updating my Organization's Certificate

• ComplyEQ Product Scope

• My identity provider doesn't use the Foundry certificate. Do I still need to rotate the certificate?

• Multiple Identity Providers

• What if I can't rotate in time, or don't rotate at all? What will happen?

• What if my identity provider does not encrypt Assertions? How does that affect certificate rotation?

• Which certificate does Foundry use to decrypt a SAML Response?

• Okta identity provider and Foundry certificate rotation

• Microsoft Azure
  
  

---

 

Identifying Certificate Files

Q: I have a couple of certificate files. How can I figure out which one is which?

A: Open the file in a text editor that won’t try to format the certificate as though it’s a normal document. Then go here https://www.sslshopper.com/certificate-decoder.html and follow the instructions. See Foundry Certificate History  for a list of ComplyEQ Foundry X.509 certificates.

 

Updating my Organization's Certificate

Q: My own organization’s x509 certificate is expiring. How do I update this in Foundry?

A: Refer to the guide titled Set Up Your Identity Provider in Foundry for step-by-step instructions.

 

Q: Which ComplyEQ products does this apply to?

A: ComplyEQ has single sign-on in various products, but the information on this page applies only to Foundry.

 

Q: My identity provider doesn't use the Foundry certificate. Do I still need to rotate the certificate?

A: If your identity provider doesn’t use the Foundry certificate for token encryption or signature validation in SAML messages, you don’t need to update it. However, we recommend updating your Foundry identity provider configuration to the latest certificate to confirm you're not using the older one.

 

Multiple Identity Providers

Q: I have multiple identity providers in Foundry. How do I manage that?

A: You need to rotate the certificate for each identity provider configuration in Foundry.

 

What if I can't rotate in time, or don't rotate at all? What will happen?

Q: What happens if we don’t rotate before the certificate expires?

A: Please rotate your certificate as soon as possible. Foundry won’t block SSO if its certificate is expired, but your identity provider might. Behavior varies by provider.

 

No Assertion Encryption?

Q: My identity provider does not encrypt the SAML Assertion, so we do not need to rotate the encryption certificate because there is no encryption. How does that affect Foundry certificate rotation?

A: Yes. Even if you’re not encrypting, you still need to rotate the signing certificate.

 

Decrypting SAML Response

Q: My identity provider encrypts the SAML Response’s Assertion with the Foundry X.509 certificate. How does Foundry decrypt?

A: Foundry uses the certificate specified in your identity provider configuration to handle both signing and decryption. You can find this configuration in the article https://help.everfi.com/s/article/How-To-Rotate-The-Certificate, which outlines how your identity provider communicates with Foundry.

In that configuration, there’s a field for the Foundry certificate. Foundry uses this certificate to digitally sign its outgoing SAML messages — including AuthnRequest, LogoutRequest, and LogoutResponse. Your identity provider should store this certificate and use it to validate the signature of incoming messages from Foundry.

For decryption, Foundry attempts to decrypt the encrypted SAML Assertion using the same certificate. However, there’s a fallback mechanism:
If decryption fails and the certificate used is not the newest Foundry certificate, Foundry will try again using its newest certificate.

This dual-certificate support allows for staggered certificate rotation, which is especially helpful when different people manage the identity provider and the Foundry configuration. For example, one person might update the identity provider while another updates Foundry — and those steps don’t need to happen simultaneously.

As long as you complete Step 5 (updating Foundry’s identity provider configuration) before the old certificate expires, single sign-on (SSO) will continue to work without interruption. Step 6 is considered housekeeping and can be done later.

This flexibility means you can rotate certificates with hours, days, or even weeks between updates — minimizing disruption and making coordination easier across teams.

 

Okta-Specific Instructions

Q: How do I do this in Okta?

A: If you're using Okta, the steps differ depending on whether you're rotating the signing certificate or the encryption certificate.

If Single Logout is enabled, you must rotate the signing certificate. Refer to steps 17–27 in the SSO Setup With Okta instructions. You can also review Okta’s help article titled How to replace a Service Provider Signing Certificate in Okta, which applies to service providers like ComplyEQ.

If your identity provider encrypts SAML Response Assertions, you must also rotate the encryption certificate. Use the same Okta help article and follow the steps for replacing the encryption certificate. This option is only visible if Assertion Encryption is set to “Encrypted.” If it’s set to “Unencrypted,” you do not need to rotate the encryption certificate.

 

Microsoft Azure

Q: My identity provider is Microsoft Azure. How do I rotate the certificate?

A: Download and follow the instructions in SSO Setup with Microsoft Azure.