Certificate Rotation: Frequently Asked Questions
Get answers to frequently asked questions around certificate rotation
- Identifying Certificate Files
- Updating my Organization's Certificate
- EVERFI Product Scope
- My identity provider doesn't use the Foundry certificate. Do I still need to rotate the certificate?
- Multiple Identity Providers
- What if I can't rotate in time, or don't rotate at all? What will happen?
- What if my identity provider does not encrypt Assertions? How does that affect certificate rotation?
- Which certificate does Foundry use to decrypt a SAML Response?
- Okta identity provider and Foundry certificate rotation
- Microsoft Azure
Identifying Certificate Files
Q: I have a couple of certificate files. How can I figure out which one is which?
A: Open the file using a text editor that doesn’t format it like a regular document. Then visit https://www.sslshopper.com/certificate-decoder.html and follow the instructions. You can also refer to the Foundry Certificate History for a list of Everfi Foundry X.509 certificates.
Updating my Organization's Certificate
Q: My own organization’s x509 certificate is expiring. How do I update this in Foundry?
A: Refer to the guide titled Set Up Your Identity Provider in Foundry for step-by-step instructions.
EVERFI Product Scope
Q: Which EVERFI products does this apply to?
A: This applies specifically to Foundry, including the Financial Education elective learning platform. Other Everfi products may have different configurations.
My identity provider doesn't use the Foundry certificate. Do I still need to rotate the certificate?
A: If your identity provider doesn’t use the Foundry certificate for token encryption or signature validation in SAML messages, you don’t need to update it. However, we recommend updating your Foundry identity provider configuration to the latest certificate to confirm you're not using the older one.
Multiple Identity Providers
Q: I have multiple identity providers in Foundry. How do I manage that?
A: You need to rotate the certificate for each identity provider configuration in Foundry.
Missed the Rotation Deadline?
Q: What happens if we don’t rotate before the certificate expires?
A: Please rotate your certificate as soon as possible. Foundry won’t block SSO if its certificate is expired, but your identity provider might. Behavior varies by provider.
No Assertion Encryption?
Q: My identity provider doesn’t encrypt SAML Assertions. Do I still need to rotate?
A: Yes. Even if you’re not encrypting, you still need to rotate the signing certificate.
Decrypting SAML Responses?
Q: My identity provider encrypts the SAML Assertion in the SAML Response. How does Foundry decrypt it?
A: Foundry uses the certificate specified in your identity provider configuration to handle both signing and decryption. You can find this configuration in the article https://help.everfi.com/s/article/How-To-Rotate-The-Certificate, which outlines how your identity provider communicates with Foundry.
In that configuration, there’s a field for the Foundry certificate. Foundry uses this certificate to digitally sign its outgoing SAML messages — including AuthnRequest, LogoutRequest, and LogoutResponse. Your identity provider should store this certificate and use it to validate the signature of incoming messages from Foundry.
For decryption, Foundry attempts to decrypt the encrypted SAML Assertion using the same certificate. However, there’s a fallback mechanism:
If decryption fails and the certificate used is not the newest Foundry certificate, Foundry will try again using its newest certificate.
This dual-certificate support allows for staggered certificate rotation, which is especially helpful when different people manage the identity provider and the Foundry configuration. For example, one person might update the identity provider while another updates Foundry — and those steps don’t need to happen simultaneously.
As long as you complete Step 5 (updating Foundry’s identity provider configuration) before the old certificate expires, single sign-on (SSO) will continue to work without interruption. Step 6 is considered housekeeping and can be done later.
This flexibility means you can rotate certificates with hours, days, or even weeks between updates — minimizing disruption and making coordination easier across teams.
Okta-Specific Instructions
Q: How do I do this in Okta?
A: If you're using Okta, the steps differ depending on whether you're rotating the signing certificate or the encryption certificate.
If Single Logout is enabled, you must rotate the signing certificate. Refer to steps 17–27 in the SSO Setup With Okta instructions. You can also review Okta’s help article titled How to replace a Service Provider Signing Certificate in Okta, which applies to service providers like EVERFI.
If your identity provider encrypts SAML Response Assertions, you must also rotate the encryption certificate. Use the same Okta help article and follow the steps for replacing the encryption certificate. This option is only visible if Assertion Encryption is set to “Encrypted.” If it’s set to “Unencrypted,” you do not need to rotate the encryption certificate.
Microsoft Azure
Q: My identity provider is Microsoft Azure. How do I rotate the certificate?
A: Download and follow the instructions in SSO Setup With Microsoft Azure.