Why does Azure AD use an inactive certificate instead of expired, active certificate?

Andre Dupre Kuiper 0 Reputation points
2023-04-28T18:39:40.44+00:00

I created a new, inactive saml signing certificate for an Azure AD application (first image below). The app has an existing (active) but expired certificate. The new, inactive certificate was then presented to the SP as the signing certificate (second image below) causing an error as the SP had not been updated to use the new certificate.

Is this expected behavior? I could not find anything in the documentation that describes this.

938c3cd6-de43-4655-8893-b6a7111829b6

174253d6-d68f-4d71-8926-a7a4edaebfbd

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,398 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,741 Reputation points Microsoft Employee
    2023-05-02T06:46:08.6666667+00:00

    Hi @Andre Dupre Kuiper ,

    Thanks for reaching out.

    This is expected behavior. When you have an existing certificate that is already expired and you generate a new certificate, the new certificate will be considered for signing tokens, even though you haven't activated it yet.

    Although in this case, users may experience application outage.

    If you intend to keep certificate expiry validation disabled and want to utilize the expired certificate, then the new certificate shouldn't be created.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.