Signicat renews its SAML signing certificates every second year (years ending in odd numbers). This page describes the impact of the certificate renewal on Signicat’s Connectors and Applications.
Signicat’s Connectors (SAML 1.1)
Customers using older versions of Signicat Connectors will be affected by the renewal of Signicat’s SAML certificates. This applies to the following versions of the Connectors:
- on Java platform: Java client kit, v. 2.3.2 or lower
- on .NET platform: Signicat.Basic.Service v.1.11 .*.* or lower
- on .NET platform: Signicat.Basic v.220.127.116.11 or lower
Every time Signicat renews the SAML signing certificates, these customers must replace the old SAML signing certificates with the new ones, or add the new ones to the Connector’s truststore.
Customers using newer connectors than the above mentioned will not be affected by the renewal of the SAML signing certificate.
Signicat authentication using the SAML2 protocol
Customers integrated with the Signicat authentication service using the SAML2 protocol will be affected by the renewal of Signicat’s SAML certificates.
Every time Signicat renews the SAML signing certificates, these customers must renew the SAML2 metadata from Signicat.
In 2019 Signicat will, in addition to renewing the SAML certificate, upgrade SHA-256 signature digests in the SAML response. This applies to both SAML1.1 and SAML2.
If you experience problems with this change and are unable to make appropriate adjustments in time, contact email@example.com for an exemption, and to agree on and plan for a new date.
The CA certificate can be downloaded below. The certificate is also embedded in some of the client connectors.
- SAML certificate preprod.signicat.com (2017)
- SAML certificate preprod.eu01.signicat.com (2017)
- SAML certificate id.signicat.com (2017)
- SAML certificate eu01.signicat.com (2017)
- SAML certificate preprod.signicat.com (2019)
- SAML certificate preprod.eu01.signicat.com (2019)
- SAML certificate id.signicat.com (2019)
- SAML certificate eu01.signicat.com (2019)
Frequently asked questions
Q: I use OIDC, what do I do?
A: OIDC is unaffected by this change.
Q: I only use Signicat for signature, what do I do?
A: Renewal of the SAML signing certificate does not affect Signicat signing services.
Q: What is a “SAML Signing” certificate?
A: The SAML Signing certificate is the certificate used by Signicat for signing SAML responses.
Q: I use SAML2, what do I need to do?
A: You need to replace existing Signicat metadata with new metadata. Contact firstname.lastname@example.org to receive new metadata, or change your metadata manually by replacing the certificate in our metadata with the new certificate.
How to prepare for a SAML2 certificate change
Q: What version of the connector do I use?
A: For .NET: Find the signicat.basic.dll, check the properties for version.
For Java: Locate signicat-client-lib-X.X.X.jar. The version number should be in the file name.
Q: I don’t use any of Signicat’s connectors, what do I do?
A: If your integration uses Signicat’s root CA, you don’t need to do anything. If you use the leaf-certificate, you should consider adding the root CA or add the new certificate in your integration manually.
Q: How do I test if I support SHA-256 digest?
A: Performing regression tests on the current integration would suffice.