🐛 [open-formulieren/open-forms#5136] Use next certificate in eh service catalog when it's available

sergei-maertens · sergei-maertens · commit ecc1d127c179 · 2025-03-13T10:55:00.000+01:00
If a next certificate is configured, scheduled to replace the
(expiring) current certificate, use that in favour of the
current certificate when genering the service catalogue
metadata.
diff --git a/digid_eherkenning/saml2/eherkenning.py b/digid_eherkenning/saml2/eherkenning.py
@@ -329,7 +329,8 @@ def create_service_catalogus(conf: EHerkenningConfig, validate: bool = True) ->
     """
     https://afsprakenstelsel.etoegang.nl/display/as/Service+catalog
     """
-    with conf["cert_file"].open("rb") as cert_file:
+    cert_file = conf["next_cert_file"] or conf["cert_file"]
+    with cert_file.open("rb") as cert_file:
         x509_certificate_content: bytes = cert_file.read()
 
     sc_id = str(uuid4())
diff --git a/digid_eherkenning/types.py b/digid_eherkenning/types.py
@@ -38,6 +38,7 @@ class EHerkenningConfig(TypedDict):
     entity_id: str
     metadata_file: str
     cert_file: Path | FieldFile
+    next_cert_file: Path | FieldFile | None
     key_file: Path | FieldFile
     service_entity_id: str
     oin: str
