diff --git a/lib/SimpleSAML/Bindings/Shib13/Artifact.php b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
index d1693373d2656826a7d021d78cc26df88082c1f4..851bdd194f45648cbe4f11903188d0d33445c7ae 100644
--- a/lib/SimpleSAML/Bindings/Shib13/Artifact.php
+++ b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
@@ -125,7 +125,7 @@ class SimpleSAML_Bindings_Shib13_Artifact {
 		$url = $idpMetadata->getDefaultEndpoint('ArtifactResolutionService', array('urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'));
 		$url = $url['Location'];
 
-		$certData = SimpleSAML_Utilities::loadPublicKey($idpMetadata->toArray(), TRUE);
+		$certData = SimpleSAML_Utilities::loadPublicKey($idpMetadata, TRUE);
 		if (!array_key_exists('PEM', $certData)) {
 			throw new SimpleSAML_Error_Exception('Missing one of certData or certificate in metadata for '
 				. var_export($idpMetadata->getString('entityid'), TRUE));
diff --git a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
index 3d752b744378456d2d4f63276d899fe3b4fffa73..7d9329be1f05078356130bc02223b1ea56258406 100644
--- a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
+++ b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
@@ -31,7 +31,7 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
 		SimpleSAML_Utilities::validateXMLDocument($response, 'saml11');
 
 		$privatekey = SimpleSAML_Utilities::loadPrivateKey($idpmd->toArray(), TRUE);
-		$publickey = SimpleSAML_Utilities::loadPublicKey($idpmd->toArray(), TRUE);
+		$publickey = SimpleSAML_Utilities::loadPublicKey($idpmd, TRUE);
 
 		$responsedom = new DOMDocument();
 		$responsedom->loadXML(str_replace ("\r", "", $response));
diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index cafffba6e5def9bc637811ac676fd85c8a0c8ff0..052f55502f92ad788c2c584e181276abd7c34dd2 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -596,7 +596,7 @@ class SimpleSAML_Metadata_SAMLBuilder {
 	 */
 	private function addCertificate(SAML2_XML_md_RoleDescriptor $rd, SimpleSAML_Configuration $metadata) {
 
-		$certInfo = SimpleSAML_Utilities::loadPublicKey($metadata->toArray());
+		$certInfo = SimpleSAML_Utilities::loadPublicKey($metadata);
 		if ($certInfo === NULL || !array_key_exists('certData', $certInfo)) {
 			/* No certificate to add. */
 			return;
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index c21b76a4ade45c27a5df9155ed57f9a6d1c3e1eb..cf907119026fbf447902865e3a7b16fe407be63a 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1507,7 +1507,7 @@ class SimpleSAML_Utilities {
 	 * 'certFingerprint'  Array of valid certificate fingerprints. (Only present
 	 *                    if this is a certificate.)
 	 *
-	 * @param array $metadata  The metadata array.
+	 * @param SimpleSAML_Configuration $metadata  The metadata.
 	 * @param bool $required  Whether the private key is required. If this is TRUE, a
 	 *                        missing key will cause an exception. Default is FALSE.
 	 * @param string $prefix  The prefix which should be used when reading from the metadata
@@ -1515,16 +1515,15 @@ class SimpleSAML_Utilities {
 	 * @return array|NULL  Public key or certificate data, or NULL if no public key or
 	 *                     certificate was found.
 	 */
-	public static function loadPublicKey($metadata, $required = FALSE, $prefix = '') {
-		assert('is_array($metadata)');
+	public static function loadPublicKey(SimpleSAML_Configuration $metadata, $required = FALSE, $prefix = '') {
 		assert('is_bool($required)');
 		assert('is_string($prefix)');
 
 		$ret = array();
 
-		if (array_key_exists($prefix . 'certData', $metadata)) {
+		if ($metadata->hasValue($prefix . 'certData')) {
 			/* Full certificate data available from metadata. */
-			$certData = $metadata[$prefix . 'certData'];
+			$certData = $metadata->getString($prefix . 'certData');
 			$certData = str_replace(array("\r", "\n", "\t", ' '), '', $certData);
 			$ret['certData'] = $certData;
 
@@ -1533,9 +1532,9 @@ class SimpleSAML_Utilities {
 				chunk_split($ret['certData'], 64) .
 				"-----END CERTIFICATE-----\n";
 
-		} elseif (array_key_exists($prefix . 'certificate', $metadata)) {
+		} elseif ($metadata->hasValue($prefix . 'certificate')) {
 			/* Reference to certificate file. */
-			$file = SimpleSAML_Utilities::resolveCert($metadata[$prefix . 'certificate']);
+			$file = SimpleSAML_Utilities::resolveCert($metadata->getString($prefix . 'certificate'));
 			$data = @file_get_contents($file);
 			if ($data === FALSE) {
 				throw new Exception('Unable to load certificate/public key from file "' . $file . '"');
@@ -1549,13 +1548,9 @@ class SimpleSAML_Utilities {
 				$ret['certData'] = str_replace(array("\r", "\n"), '', $matches[1]);
 			}
 
-		} elseif (array_key_exists($prefix . 'certFingerprint', $metadata)) {
+		} elseif ($metadata->hasValue($prefix . 'certFingerprint')) {
 			/* We only have a fingerprint available. */
-			$fps = $metadata[$prefix . 'certFingerprint'];
-
-			if (!is_array($fps)) {
-				$fps = array($fps);
-			}
+			$fps = $metadata->getArrayizeString($prefix . 'certFingerprint');
 
 			/* Normalize fingerprint(s) - lowercase and no colons. */
 			foreach($fps as &$fp) {
diff --git a/modules/saml/www/sp/metadata.php b/modules/saml/www/sp/metadata.php
index 8e0761598002d180fa86976923f898dc2d7976c0..6b3aa05e4ba7e851be30f2f62f6976d13054e505 100644
--- a/modules/saml/www/sp/metadata.php
+++ b/modules/saml/www/sp/metadata.php
@@ -64,7 +64,7 @@ if ($spconfig->getBoolean('saml20.binding.artifact.enable', FALSE)) {
 	);
 }
 
-$certInfo = SimpleSAML_Utilities::loadPublicKey($spconfig->toArray());
+$certInfo = SimpleSAML_Utilities::loadPublicKey($spconfig);
 if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
 	$certData = $certInfo['certData'];
 	$metaArray11['certData'] = $certData;
diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php
index 2f5884273ca972666d6953feefbb72168bc5e487..f82c43e68ddb524bfb6adb40fd3de2f73d264095 100644
--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -39,9 +39,7 @@ class sspmod_saml2_Message {
 	 */
 	public static function addSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2_SignedElement $element) {
 
-		$srcMetadata = $srcMetadata->toArray();
-
-		$keyArray = SimpleSAML_Utilities::loadPrivateKey($srcMetadata, TRUE);
+		$keyArray = SimpleSAML_Utilities::loadPrivateKey($srcMetadata->toArray(), TRUE);
 		$certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata, FALSE);
 
 		$privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
@@ -133,7 +131,7 @@ class sspmod_saml2_Message {
 		SimpleSAML_Logger::debug('Found ' . count($certificates) . ' certificates in ' . get_class($element));
 
 		/* Find the certificate that should verify signatures by this entity. */
-		$certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata->toArray(), FALSE);
+		$certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata, FALSE);
 		if ($certArray !== NULL) {
 			if (array_key_exists('PEM', $certArray)) {
 				$pemCert = $certArray['PEM'];
@@ -284,7 +282,7 @@ class sspmod_saml2_Message {
 			$key->loadKey($sharedKey);
 		} else {
 			/* Find the certificate that we should use to encrypt messages to this SP. */
-			$certArray = SimpleSAML_Utilities::loadPublicKey($dstMetadata->toArray(), TRUE);
+			$certArray = SimpleSAML_Utilities::loadPublicKey($dstMetadata, TRUE);
 			if (!array_key_exists('PEM', $certArray)) {
 				throw new Exception('Unable to locate key we should use to encrypt the assertionst ' .
 					'to the SP: ' . var_export($dstMetadata->getString('entityid'), TRUE) . '.');
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index 29e8fe493f7771166ac23ab9c85c3f7ac6dd0228..75ad959c3fedbddca3ac060c55aaa15dfaf65995 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -20,7 +20,7 @@ try {
 	$idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 	$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted');
 
-	$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta->toArray(), TRUE);
+	$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE);
 	$certFingerprint = $certInfo['certFingerprint'];
 	if (count($certFingerprint) === 1) {
 		/* Only one valid certificate. */
diff --git a/www/saml2/sp/metadata.php b/www/saml2/sp/metadata.php
index be9d039ea8dde5f52579ae29bc615e054436bea7..b005273539298ba2e4e8b748dd5fb01c5171d949 100644
--- a/www/saml2/sp/metadata.php
+++ b/www/saml2/sp/metadata.php
@@ -55,7 +55,7 @@ try {
 		$metaArray['description'] = $spmeta->getLocalizedString('description');
 	}
 
-	$certInfo = SimpleSAML_Utilities::loadPublicKey($spmeta->toArray());
+	$certInfo = SimpleSAML_Utilities::loadPublicKey($spmeta);
 	if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
 		$metaArray['certData'] = $certInfo['certData'];
 	}
diff --git a/www/shib13/idp/metadata.php b/www/shib13/idp/metadata.php
index f795306b43f18b655a50f3ac5e3c1d581456097c..c386966a06a1c0881dd9476e796e53cc234e90bf 100644
--- a/www/shib13/idp/metadata.php
+++ b/www/shib13/idp/metadata.php
@@ -21,7 +21,7 @@ try {
 	$idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted');
 	$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'shib13-idp-hosted');
 
-	$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta->toArray(), TRUE);
+	$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE);
 	$certFingerprint = $certInfo['certFingerprint'];
 	if (count($certFingerprint) === 1) {
 		/* Only one valid certificate. */
diff --git a/www/shib13/sp/metadata.php b/www/shib13/sp/metadata.php
index a3145920314bb6caf56c2ec92dba764c7f00133c..18fec83a9013a573b2e2b6fc0469440573b1d3d4 100644
--- a/www/shib13/sp/metadata.php
+++ b/www/shib13/sp/metadata.php
@@ -28,7 +28,7 @@ try {
 		'AssertionConsumerService' => $metadata->getGenerated('AssertionConsumerService', 'shib13-sp-hosted'),
 	);
 
-	$certInfo = SimpleSAML_Utilities::loadPublicKey($spmeta->toArray());
+	$certInfo = SimpleSAML_Utilities::loadPublicKey($spmeta);
 	if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
 		$metaArray['certData'] = $certInfo['certData'];
 	}