Renewing Certificates

After the following certificates are renewed, they need to be uploaded to the customer IDP while configuring the single-sign on for SAML 2.0 systems: Request Signing Certificate and the Assertion Decryption Certificate. To notify the users of the same, a notification email can now be sent to designated users. 

Sending Certificate Expiry Notification Emails

Notifications regarding certificate expiry are sent automatically to customers. This notification informs customers to update their metadata on their Single Sign-On IDP.

You can only add up to ten email addresses and please ensure that the email addresses are valid so that the users can receive the notifications and activate the certificates in time.

To send certificate expiry notification emails:

1. From the Partition and Departments dropdown menu, go to the partition space.

2. From the Navigation menu, browse to Security > Single Sign-On > Configurations.

3. From the Select Configuration dropdown, select Agent.

4. On the General tab, set the following:

   • Certificate Expiry Notification Emails: Click Add  to add email addresses to which the certificate expiry notification emails is to be sent. In the Add Email window, enter the email addresses and click Enter . You can add multiple email addresses. Click Done to save.

     

5. Click the Save button.

Activating Renewed Certificates

When the certificates are close to their expiration date, a notification email is sent to the email recipients configured in the Certificate Expiry Notification Emails setting. After receiving the notification, users need to download the renewed Request Signing Certificate and the Assertion Decryption Certificate, upload them to the customer IDP and then confirm the activation of these certificates.

1. Activation of Assertion Decryption Certificate requires to be done at the same time on both eGain and the Customer IDP. Expect a downtime* of 20-30 mins. Make sure you have customer approval before proceeding for activation.
2. If the Customer IDP does not support multiple Request Signing Certificates (e.g. Okta IDP), then the activation of Request Signing Certificate also requires it to be done at the same time on both eGain and Customer IDP. Expect a downtime* of 20-30 mins. Make sure you have the customer approval before proceeding for activation. 

*Downtime is because the B2C can take up to 20-30 mins to activate/reflect updated certificate on IDPs. During this time new user login and existing logged in user logouts won't work.

.To activate renewed certificates:

1. From the Partition and Departments dropdown menu, go to the partition space.

2. From the Navigation menu, browse to Security > Single Sign-On > Configurations.

3. From the Select Configuration dropdown, select Agent.

4. On the Renew Certificates tab, you can renew the certificates by performing the following steps:

   • Click Add  to open the renewed certificate and click Copy Certificate Content to copy the content of the certificate.
   • Paste the certificate content in a file and save it with a .cer extension and upload this certificate in the respective customer IDP for the given certificate.
   • To confirm the same, log back into the Administration Console and click Confirm Activation next to the certificate that you have renewed. It is imperative to perform this step immediately after performing the previous step to ensure that the certificate is uploaded on the eGain IDP.

     

5. Click the Save button.