You are located in service: Identity Management

Certificate Rollover for the Shibboleth Serviceprovider

Certificate Rollover for the Shibboleth Serviceprovider


If you are operating a Shibboleth service provider with official packages from the Shibboleth Consortium (see Installation), you can perform a so-called "certificate rollover" while changing certificates. This has the advantage of not resulting in any downtime when you want to swap certificates.



To perform a certificate rollover, you must first apply for a new server certificate as normal. Once you have received the certificate, you must add it in the /etc/shibboleth/shibboleth2.xml file as follows:

CredentialResolver type="File"key="sp.key" certificate="sp.crt"/>

<!-- enter new certificate here-->

<CredentialResolver type="File"key="sp_new.key" certificate="sp_new.crt"/>

  • Check whether the service continues to function with this configuration:

    shibd -t

  • RHEL based systems (centOS, Rocky Linux etc.) require the LD_LIBRARY_PATH to be expanded:
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth/lib64/
  • Then restart the Shibboleth service:
    systemctl restart shibd
  • Now contact the IT-ServiceDesk by email to and inform the IT Center about the pending change of certificates.
  • After 2-3 days, you can change the order in the /etc/shibboleth/shibboleth2.xml file. Restart the Shibboleth service:
    systemctl restart shibd
  • After a further 2-3 days, you can completely remove the old certificate. After doing this, you will need to restart Shibboleth again. Optionally, you can now send an additional email to to inform the IT Center that the change of certificates has been completed.

last changed on 09/06/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License