Security Software

I run OIF 11.1.1.2 in a basic setup with just an LDAP user store and no further integration with other products. This setup has been running for nearly a year without too many issues. Now I see that the signing and encryption certificates embedded in my IDP metadata are about to expire. Here is a snippet of the metadata:

< md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="id-p-goX6OouKSHdORwz-s-4HiZakg-" cacheDuration="P0Y0M30DT0H0M0.0S"entityID="https://myorg:443/fed/idp" validUntil="2012-11-14T19:15:56Z" >

I have a VIP that takes traffic outside the firewall and directs it to my OIF server. I used the cert installed on the VIP with the keytool in $JAVA_HOME to make a .p12 file that is used as my identity and custom trust keystores for my OIF server. The cert on the VIP doesn't expire for another 9 months. It is only the signing and encryption certs in my SAML2 metadata that will expire soon.

I am thinking that I will need to take the cert from the VIP, use the keytool to make another .p12 file, and then set that file as my custom identity and custom trust keystores in WLS Admin console, and then update the passwords in EM/Adminster/Server Properties/SSL Connection Settings for the WLS Identity/Trust Keystore password fields. Will this update my metadata with a new signing/encryption cert with a new expiration date? I will have to give the metadata out to my current partners, but the update should be simple for them.

Am I on the right track? Will that update the expiration date in my metadata? Or are the signing/encryption certs managed differently? I admit I could be confusing the identity and customer trust keystores with my SSL setup.