ForgeRock AM 5.0 ships with Amster a lightweight command line tool and interactive shell, that allows for the automation of many management and configuration tasks. A common task often associated with SAML2 identity provider configs, is the updating of certificates that are used for signing and the possible encryption of assertions. A feature added in 13.0 of OpenAM, was the ability to have multiple certificates within an IDP config. This is useful to overcome the age old challenge of how to handle certificate expiration. An invalid cert can brake integrations with service providers. The process to remove, then add a new certificate, would require any entities within the circle of trust to retrieve new metadata into their configs - and thus create downtime, so the timing of this is often an issue. The ability to have multiple certificates in the config, would allow service providers to pull down meta data at a known date, instead of specifically when certificates expired.