About Digital Certificates

Learn what a digital certificate is and what to do when a certificate expires.

What is a Digital Certificate?

A digital certificate is like an electronic passport that helps a person, computer, or organization to exchange information securely over the Internet using public key cryptography. A digital certificate may be referred to as a public key certificate.

Just like a passport, a digital certificate provides identifying information, is forgery resistant, and can be verified because it is issued by an official, trusted agency. The certificate can contain the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and verifying digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.

In order to verify external identity providers’ signatures, stores copies of their signing certificates. When receives a signed message from an identity provider, before the stored certificate is used to verify the signature, the certificate must be verified as valid. Part of validating the certificate is verifying that it has not expired. After the certificate has been validated, the certificate is used to verify the signature on the message.

In order for this operation to succeed, the public key embedded in the certificate must match the private key that the identity provider used to sign the message.

What if an Identity Provider's Certificate Expires?

If an identity provider's signing certificate expires, then certificate validation will fail, and will be unable to complete single sign-on operations for that identity provider's users. Therefore, when an identity provider's certificate nears its expiration date, you must make plans to replace it. The typical process is a follows:
  1. Obtain the new signing certificate from the identity provider. This may be published by the identity provider for self-service download, or you may need to contact the identity provider administrator.
  2. Load the new signing certificate into the Oracle Identity Cloud Service configuration for the identity provider.
  3. If the identity provider has also rolled over its signing private/public key pair (rather than only re-issuing a new certificate for the existing key pair), then the identity provider must be updated to begin using the new keys to sign messages. Again, this may be self-service or require coordination with the identity provider administrator.


If the identity provider rolls over its signing key pair, then Single Sign-On will fail during the period of time between Step 2 and Step 3 above. For this reason, the certificate update is typically coordinated between the identity provider and Oracle Identity Cloud Service administrators, in order to minimize the downtime, as well as schedule it for a period of low user activity.