Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

Certificate Rotation: Frequently Asked Questions

Get answers to frequently asked questions around certificate rotation.

Frequently Asked Questions

Identifying Certificate Files
Updating my Organization's Certificate 
EVERFI Product Scope
My identity provider doesn't use the Foundry certificate. Do I still need to rotate the certificate?
Multiple Identity Providers
What if I can't rotate in time, or don't rotate at all? What will happen?
What if my identity provider does not encrypt Assertions? How does that affect certificate rotation?
Which certificate does Foundry use to decrypt a SAML Response?
Okta identity provider and Foundry certificate rotation
Microsoft Azure




 

Identifying Certificate Files

Q: I have a couple of certificate files. How can I figure out which one is which?

A: Open the file in a text editor that won’t try to format the certificate as though it’s a normal document. Then go here https://www.sslshopper.com/certificate-decoder.html and follow the instructions. See Foundry Certificate History  for a list of EVERFI Foundry X.509 certificates.

 


Updating my Organization's Certificate

Q: My own organization’s x509 certificate is expiring. How do I update this in Foundry?

A: See: Set Up Your Identity Provider in Foundry

 

EVERFI Product Scope

Q: Which EVERFI products does this apply to?

A: EVERFI has single sign-on in various products, but the information on this page applies only to Foundry, which also include our Financial Education elective learning platform.

 

My identity provider doesn't use the Foundry certificate. Do I still need to rotate the certificate?

A: If your identity provider does not use the Foundry certificate at all for token encryption or for validating the signature in Foundry’s SAML messages, then there is no need to update your identity provider, however we request that you update your Foundry identity provider configuration to the latest Foundry certificate as described in step 5 above. This way EVERFI will know that you have completed the process and are not using the older certificate at all.

 

 

Multiple Identity Providers

Q: I have multiple identity providers in Foundry. How do I manage that?

A: For each identity provider configuration you have in Foundry, you will need to rotate the certificate.

 

 

What if I can't rotate in time, or don't rotate at all? What will happen?

Q: The expiration date has passed by we haven’t rotated our certificate. What’s going to happen?

A: First of all, please rotate your certificate as soon as possible.

We cannot say for sure what will happen because each identity provider is different. Foundry will not stop SSO from happening if the Foundry certificate is expired, but your identity provider might not allow SSO to succeed if the Foundry certificate is expired.

What if my identity provider does not encrypt Assertions? How does that affect certificate rotation?

Q: My identity provider does not encrypt the SAML Assertion, so we do not need to rotate the encryption certificate because there is no encryption. How does that affect Foundry certificate rotation?

A: You will still need to rotate to the new certificate for signing even if you are not encrypting.

Which certificate does Foundry use to decrypt a SAML Response?

Q: My identity provider encrypts the SAML Response’s Assertion with the Foundry X.509 certificate. How does Foundry decrypt?

A: The following article  Set Up Your Identity Provider in Foundry    that describes your identity provider to Foundry. In those settings, there is a field for the Foundry certificate. Based on that setting, Foundry digitally signs its outgoing SAML messages (AuthnRequestLogoutRequest and LogoutResponse) with that certificate. Your identity provider should use the Foundry signing certificate(s) it stores with the Foundry service provider to validate the signature.

For encryption, Foundry will attempt to decrypt the identity provider’s SAML Assertion with that same Foundry certificate, with one variation: if Foundry cannot decrypt successfully, and if that certificate is not the newest certificate, then Foundry will attempt a second chance decryption with Foundry’s newest certificate.

The rationale for this support for up to two encryption certificates is that it gives you the ability to stagger the steps in certificate rotation. You can perform Step 4  without having to make an immediate update in the Foundry identity provider settings at the same time, as long as your identity provider can have two or more signing certificates.

This is especially helpful if you have one person who needs to update your identity provider and a different person who needs to update Foundry. With this methodology, it’s OK if these steps have hours, days or even weeks between them, as long as you complete Step 5 prior to the expiration of the outgoing Foundry certificate; Step 6 is essentially housekeeping. Single sign-on will operate continuously without interruption.


 

Okta identity provider and Foundry certificate rotation

Q: How do I do this in Okta?

A: The steps are different for the signing certificate and the encryption certificate and you need to provide the Foundry certificate only in certain conditions.

If you have Single Logout enabled, then you must rotate the signing certificate. See steps 17-27 in the instructions on SSO Setup With Okta . Also, see How to replace a Service Provider Signing Certificate In Okta on Okta’s help site. This page refers to the signing certificate of a service provider like EVERFI.

If you have opted to encrypt your SAML Response Assertions, then you must rotate the encryption certificate. To replace the encryption certificate with the newer Foundry certificate, go to the same page as above and follow the similar steps for the Encryption Certificate. This option is hidden unless you have set Assertion Encryption to “Encrypted”. If Assertion Encryption is “Unencrypted” then this means you are not encrypting the SAML response and you do not need to rotate the certificate for encryption.

 

Microsoft Azure

Q: My identity provider is Microsoft Azure. How do I rotate the certificate?

A: On SSO Setup With Microsoft Azure , download the instructions that explain how to rotate the Foundry certificate.