Hello
I'm looking to run Picketlink as an SP (in Wildfly), and can see that I have to add the remote IdP certificate to a JSK and reference that by its' JKS alias in as a ValidatingAlias:
<ValidatingAlias Key="idp.client.org" Value="client-adfs-cert" />
However, if the remote IDP is rotating their IdP keys (ADFS default is very 365 days for the token signing cert), then in order to have a smooth transition/rollover/refresh, I'll want to grab the updated metadata and cert and have that available in production before the IdP starts USING this new certificate. I could add the new key as a new alias in my jks, but my question is:
Can I add a second ValidatingAlias for the same key but with a different Value to support both the current, and the new keys, and have either used (so I can later come back and then remove the then-expired original cert). Ie:
<ValidatingAlias Key="idp.client.org" Value="client-adfs-cert-2014" />
<ValidatingAlias Key="idp.client.org" Value="client-adfs-cert-2015" />
Many thanks,
James