- Pass your new certificate to the federation operator ahead of time and arrange a date for therm to them to publish the change. Explain that this is a change to a live service so they will not expect to be able to see that certificate in your metadata immediately.
- Once they publish the change, it will take up to 24 hours for resources to pick up that change. As they update, they will become unavailable because your SAML responses will not be signed with the certificate they're expecting.
- At some point between some becoming unavailable and all becoming so, do step 8 (restart apache) to make the change live.
If you publish a new configuration from the administration console, Apache will be restarted and the new certificate will come into play at that time. You may like to take steps to mitigate this.