A couple quick comments before we get started:
- You should definitely look into upgrading to a newer version of AM, as 6.5 is no longer supported and the newest versions of AM continue to introduce a lot more fun things and make them all easier to use.
- The documentation you referenced is for 5.5, and there are some notable differences between 5.5 and 6.5 (although to be fair, I don’t think there are any which would change the answer to your inquiry)
So there are two main questions I see here:
- How do I update the signing certificate for a remote SP?
- How do I view the existing certificate for a remote SP?
To update the signing certificate for a remote SP there are two ways to go about this (that I can think of, perhaps others will offer up other methods). First, you can simply delete the existing SP configuration and import the new metadata containing the updated certificate. You’ll want to make sure you keep track of any attribute mappings that you have for the SP and reconfigure those once you’ve re-imported the metadata. The other approach would be to use Amster to export the existing configuration, modify the certificate information (you’d be looking for the KeyDescriptor element with a use of signing or if only one KeyDescriptor exists use that one, the X509Certificate element will be a couple of child nodes down from that), and then re-import the Amster entity.
To view the existing data, you also have two approaches (I’m sensing a common theme around the number 2). The easiest by far is to use the exportmetadata functionality in AM, where you can simply go to https://youramsite.com/openam/saml2/jsp/exportmetadata.jsp?entityid=yourentityid&realm=/yourrealm and copy the certificate out of the rendered metadata. The other approach would be to use Amster to export the metadata of the SP entity and then parse the certificate out from that. I don’t see a reason why you’d use the latter approach, but I’m putting it out there for you.
With regards to your exploration into Secret Stores, AM did not start using Secret Stores for SAML secret mappings until after 6.5 (with the exception of encrypting the local storage JWT for tracking SSO progress without sticky sessions, but that doesn’t apply here). Even then, the Secret Store mappings are for keys managed and used by AM (e.g. IDP assertion signing) and not the keys used by remote entities.
I hope this information is helpful to you, and I’m happy to answer any follow up questions you may have.