You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Update line
* Add expiry information
* Apply suggestion from @dominic-r
Co-authored-by: Dominic R <[email protected]>
Signed-off-by: Dewi Roberts <[email protected]>
* Apply suggestions
* Improve language
* Apply suggestions
---------
Signed-off-by: Dewi Roberts <[email protected]>
Co-authored-by: Dominic R <[email protected]>
Copy file name to clipboardExpand all lines: website/docs/sys-mgmt/certificates.md
+21-1Lines changed: 21 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,6 +20,24 @@ While this certificate can be used for SAML providers/sources, remember that it'
20
20
21
21
For SAML use-cases, you can generate a certificate with a longer validity period (at your own risk).
22
22
23
+
## Certificate considerations
24
+
25
+
### OAuth and SAML
26
+
27
+
For OAuth and SAML providers, in the vast majority of cases, certificate expiry does not matter. Most service providers don't check whether certificates are expired. What usually matters is that the signature is valid.
28
+
29
+
However, there are some notable exceptions; for example, the Slack SAML integration does check for certificate expiry.
30
+
31
+
We recommend checking your service provider's documentation for specific requirements.
32
+
33
+
### Proxy provider and brands
34
+
35
+
We recommend using a certificate generated outside of authentik that matches your Fully Qualified Domain Name (FQDN), preferably issued by a publicly trusted certificate authority.
36
+
37
+
### Radius EAP-TLS
38
+
39
+
We recommend using a certificate generated outside of authentik. A privately issued certificate is sufficient.
40
+
23
41
## Downloading SAML certificates
24
42
25
43
To download a certificate for SAML configuration:
@@ -49,7 +67,9 @@ Certificate discovery can be manually initiated by restarting the `certificate_d
49
67
-**Docker Compose**: A `certs` directory is mapped to `/certs` within the worker container.
50
68
-**Kubernetes**: You can mount custom Secrets or Volumes under `/certs` and configure them in the worker Pod specification.
51
69
52
-
authentik checks for new or changed files every hour and automatically triggers an outpost refresh when changes are detected.
70
+
When a new key pair is added or changed, authentik automatically triggers an outpost refresh.
71
+
72
+
When a new key pair is added with a private key that already exists in the database, authentik updates the existing key pair's certificate instead of creating a duplicate one.
0 commit comments