Updating & Managing Certificates

Overview

Certificates are a critical component of Cirrus Identity products, helping to secure communications and establish trust between systems. Because certificates expire and must be renewed periodically, it is important to understand how they are managed within your deployment.

Some certificates are managed and renewed automatically by Cirrus Identity and require no customer action. Others are customer-owned or managed by external systems and may require coordination with the Cirrus Identity Customer Success team to ensure a smooth renewal process.

Certificates that Require Cirrus Identity Support

If you would like to rotate your SAML signing certificate, please review the steps you’ll need to do in Metadata Certificate Rotation for Cirrus Bridge and contact Cirrus Identity Customer Success team for support. 

Certificates that do not Require Cirrus Identity Support

1. If your SAML application is rotating its certificate, use the Cirrus console to update the application’s metadata to include the new certificate. It can take up to 90 minutes to see your changes reflected in the console. 

2. If your Bridge’s Entra ID Enterprise Application’s SAML signing certificate is expiring, follow these steps and we will pick up the certificate automatically. 

a. Generate a new certificate in Entra ID for the Enterprise Application (but do NOT make it the active certificate yet)

b. Entra ID will automatically publish the new cert in the app's SAML metadata

c.  Cirrus Identity periodically (hourly) retrieves that metadata 
Wait at least 3 hours to ensure that

d. Cirrus has received and updated the metadata

e. Once Cirrus has the updated metadata (after 3 hours), make the new certificate active in the Entra ID.

3. If your Cirrus Bridge uses DNS add-on, Cirrus uses TLS certificates issued to the chosen domain name to secure and encrypt traffic. Your implementation lead will walk you through this process during initial deployment; after go-live, TLS certificates are automatically renewed by Cirrus at least 30 days prior to expiration. Cirrus Identity will contact you if there are issues renewing your TLS certificate.

4. If you need to register the Cirrus Proxy with a trust federation (e.g., InCommon): trust federations will request a certificate for registration. Instructions: How to Register a Proxy SP as an R&S Entity with InCommon

Additional Information

If you are using, plan to use, or have switched to using CAA records, please ensure that the records include one of the following: http://amazon.com, http://amazontrust.com, http://awstrust.com, or http://amazonaws.com.  

Additional Support

If you need additional assistance please submit a support request via the Support Portal or email support@cirrusidentity.com.