Obtain a verification certificate
Describes the purpose and requirements for a verification certificate
When you configure VIP Login, you must provide a verification certificate (sometimes known as a signing certificate). Your SAML client uses this certificate to sign the SAML request and responses to VIP Login. In turn, VIP Login verifies your SAML requests and responses with this certificate. VIP Login can support verification certificates that are generated by most standard certificate tool (such as OpenSSL). For security, Symantec recommends that you generate the certificate with the RSA algorithm, using at least 2048-bit keys. The certificate can be self-signed.
If you use a separate Identity Provider solution from your Service Provider solution, you can choose to use the same verification certificate to sign your SAML messages.
Once you have obtained a Verification Certificate, continue with the following steps:
Renewing or Replacing a Verification Certificate
Periodically, you may need to replace your verification certificate or renew an expiring one. Once you have updated your SAML client with the new or replacement certificate, you must also upload it to VIP Manager. Use the same procedures to upload the new or replacement verification certificate that you used when initially configured VIP Login. See Configure VIP Login for details.
If you use the same verification certificate for both your Identity Provider solution and your Service Provider solution, remember to upload your verification certificate to both configurations.