Managing SSO Keys and Certificates

All certificate information can be found in the SKFS FIDO policy for the newly created domain. This policy can be retrieved either by calling the getpolicy API, utilizing the FIDO administrator CLI client, or by manually checking the database. Once the policy is retrieved and its base64 is decoded, the subject DNs, serial numbers, and PEM-encoded certificate can be found for the Root CA, JWT, and SAML certificates of the domain in question.

When it comes time to renew expiring SSO certs, the Escrow SSO Key Tool (Rename TBD) can be used to generate a new keypair and certificate issued by the domain's SSO Root CA.