Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:certificates [2017/12/04 15:49] – Silke Meyer | en:certificates [2017/12/04 15:57] – Wolfgang Pempe | ||
---|---|---|---|
Line 2: | Line 2: | ||
In the context of SAML-based communication between IdP and SP, certificates are used for purposes of signature validation and encryption. Those certificates must be registered for the respective entity using the [[en: | In the context of SAML-based communication between IdP and SP, certificates are used for purposes of signature validation and encryption. Those certificates must be registered for the respective entity using the [[en: | ||
- | **The general rule is:** Entities with invalid (that is expired or revoked) certificates are automatically removed from the productive DFN-AAI federation! | + | **The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation! |
===== Information for Identity Providers / Attribute Authorities ===== | ===== Information for Identity Providers / Attribute Authorities ===== | ||
Cf. [[de: | Cf. [[de: | ||
===== Information for Service Providers ===== | ===== Information for Service Providers ===== | ||
- | All certificates and the respective private keys used for SAML-based communication have to be add to your SP's configuration, | + | All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, |
==== DFN-PKI Certificates ==== | ==== DFN-PKI Certificates ==== | ||
Line 55: | Line 55: | ||
6ded7378 | 6ded7378 | ||
</ | </ | ||
- | * Check the hash of the first intermediate certificate. | + | * Check the hash of the first intermediate certificate. |
< | < | ||
$ openssl x509 -in intermediate1.pem -noout -hash | $ openssl x509 -in intermediate1.pem -noout -hash | ||
Line 67: | Line 67: | ||
If there is another intermediate certificate, | If there is another intermediate certificate, | ||
- | If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de: | + | If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de: |
Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL: | Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL: | ||
Line 73: | Line 73: | ||
$ openssl s_client -connect idp.domain.tld: | $ openssl s_client -connect idp.domain.tld: | ||
</ | </ | ||
- | Below you can the answer of dfn.de' | + | Below you can see the answer of dfn.de' |
**Next step:** [[en: | **Next step:** [[en: |