Introduction

Certificates expire after a period of time. HelloID's self-signed certificates, for example, expire after two years. As such, it is periodically necessary to update the trust relationship between HelloID and connected applications (service providers). If this is not done, end users may be denied access to an application when its associated certificate expires. This article will walk you through the process of updating an application's certificate in order to avoid such service disruptions.

Important: This update may need to be coordinated with the service provider's support department. Check with them before attempting any updates to the certificate.

Generate or install a new certificate

Using this instructions on this page, generate or install new self-signed certificate for the application. Do not remove the old certificate yet—you may do that after you have completed all steps in this article.

Update the application configuration

Once you have generated or installed a new certificate, you're ready to update the application's configuration.

1. Navigate to Applications > Applications.
2. Find the application that you need to update and click its Edit link.
3. On the Configuration tab, update the X509 Certificate setting by selecting your new certificate from the dropdown menu.
   
4. If the application is configured to encrypt the assertion, you may also need to update the X509 Encryption Certificate. 
   
5. Once you have updated the necessary certificate settings, click Save to update the application's configuration.

Update application metadata with the service provider

Most service providers will require an updated copy of the application's metadata file, which contains the updated certificate signature. Service providers use the signature to ensure that single sign-on (SSO) authentication requests are valid and aren't coming from an untrusted source.

1. Navigate to Applications > Applications.
2. Find the application that you need to update and click its Edit link.
3. Click the Download metadata button at the top of the page.
4. The metadata XML file will be downloaded to your computer, which you may then provide to the service provider, so that they can update the SSO configuration on their side.