1) What is the purpose of the sso_public certificate?

[Versa]
SP Certificate is used to establish the trust between the 3rd Party SSO-Engine and the SP [Here, the Versa-Director].

Without the cert ahead of time, they can validate that the message is intact, but not who actually generated it.


2) Where are these certificates located in the Director?


[Versa]

admin@Director:.../data/certs$ pwd
/var/versa/vnms/data/certs
admin@Director-Snehal-VSA:.../data/certs$ ls -ltr | grep sso
-rw-rw---- 1 versa versa 916 Oct 9 10:31 vnms_sso_private.key
-rw-rw---- 1 versa versa 1074 Oct 9 10:31 vnms_sso_public.crt
3) Will the expiration of vnms_sso_public.crt cause the SSO Authentication to fail?

[Versa
Yes, you would see an "Authentication Failed" error while trying to perform an SSO login.  

4) How to check the validity of the sso_public cert which is present on the Versa-Director?

[Versa]
[Administrator@Director:~] $ keytool -printcert -file /var/versa/vnms/data/certs/vnms_sso_public.crt 

Sample-Reference:
[Administrator@Director: ~] $ keytool -printcert -file /var/versa/vnms/data/certs/vnms_sso_public.crt
Owner: L=Santa Clara, ST=California, C=US, OU=VersaDirector, O=versa-networks, CN=AZR-VD01
Issuer: L=Santa Clara, ST=California, C=US, OU=VersaDirector, O=versa-networks, CN=AZR-VD01
Serial number: 123456789098765
Valid from: Tue Jan 11 15:29:40 EDT 2022 until: Wed Jan 11 15:29:40 EDT 2023

5) What is the best practice to track this expiry of the SSO cert and what should be the ideal validity of the SSO-Certificate?

[Versa]
Please keep it, the same as that of the Director CSR which may be done yearly once with a validity of 1 yr and while updating the Director CSR, please have a MOP internally to update/renew the validity of the SSO-Public-crt as well which can be kept for one year.

This way, both the Director-CSR cert and the SSO certificate expire together, and we do not need to track the SSO cert separately.