Shibboleth opensaml – FatalProfileException – Message was signed, but signature could not be verified

Client asked to update our cert to their adfs. Couldn’t find a good way to troubleshoot this using google so started to examine all the configuration files in /etc/shibboleth.

Led me to federationmetadata.xml.

Found section keydescriptor that looked like a certificate so I added a new section with the new cert.

<KeyDescriptor use="signing">
<KeyInfo xmlns="">

SSL/TLS Strong Encryption: How-To

# "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration
# Generator as of August 2016. This tool is available at
SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
# require OpenSSL 1.1.0, which as of this writing was in pre-release.
SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off