Renewing your certificate regularly is generally considered a good practice from a security standpoint. However, within the FIFA Connect ID ecosystem, the process comes with important caveats and operational nuances that should be carefully considered before proceeding.
Certificates Never Expire
First and foremost, it's important to understand that the validity of your certificate is not actively verified within the Connect ID system. This means that renewing your certificate purely for expiration purposes is not required and, in some cases, may introduce unnecessary complications in system communication.
Impact of Certificate Changes
When you generate and upload a new certificate, other Member Associations (MAs) you exchange messages with may still use your previous public key, which they often cache locally for up to 24 hours. If you immediately switch to only using the new certificate for decryption, you may experience issues decrypting incoming messages still encrypted with the old key.
Recommended Approach
To avoid disruptions during this transitional period, we recommend updating your certificate handling logic to support both the old and new certificates simultaneously. This ensures seamless decryption of all messages—regardless of which version of your public key the sending MA is currently using.
Here’s how to do it:
var privateStore = new PrivateKeyMemoryStorage(newCertificate, oldCertificate);
This constructor allows the system to attempt decryption using either the new or old key. Refer to
Section 2.1.2 “Generate new certificate” in the fifa-connectservicebus-sdk-net documentation included in the SDK package for detailed guidance.
TMS and Other MA Synchronisation
If you're noticing issues immediately after certificate renewal, it's possible that TMS or other MAs are still using your old public key. In most cases, this resolves automatically within 24 hours as their caches are refreshed. No manual intervention is typically needed unless the issue persists.
Best Practice Going Forward
To prevent future issues:
- Maintain a keychain of all certificates you've used in a given environment.
- Always provide the full set of certificates to your PrivateKeyStorage when initializing your system.
- Avoid deleting certificates immediately after renewal—keep the old key active at least 24–48 hours post-deployment.
By following these practices, you’ll ensure uninterrupted communication with other systems in the Connect ID ecosystem—even during certificate transitions.
For any technical questions or assistance, feel free to contact our support team at support.id@fifa.org.