Differences

This shows you the differences between two versions of the page.

--- en:certificates [2017/12/04 15:49] – Silke Meyer
+++ en:certificates [2017/12/04 15:57] – Wolfgang Pempe
@@ Line 2: / Line 2: @@
 In the context of SAML-based communication between IdP and SP, certificates are used for purposes of signature validation and encryption. Those certificates must be registered for the respective entity using the [[en:metadata_admin_tool|metadata administration tool]].
-**The general rule is:** Entities with invalid (that is expired or revoked) certificates are automatically removed from the productive DFN-AAI federation!
+**The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation!
 ===== Information for Identity Providers / Attribute Authorities =====
 Cf. [[de:shibidp3prepare-zert#dfn-pki-zertifikate|Vorbereitung: Zertifikate]]
 ===== Information for Service Providers =====
-All certificates and the respective private keys used for SAML-based communication have to be add to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[https://wiki.aai.dfn.de/de:shibsp|Shibboleth SP (de)]]).
+All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[https://wiki.aai.dfn.de/de:shibsp|Shibboleth SP (de)]]).
 ==== DFN-PKI Certificates ====
@@ Line 55: / Line 55: @@
 ded7378
 </code>
-  * Check the hash of the first intermediate certificate. it should match the server certificate's issuer hash.
+  * Check the hash of the first intermediate certificate. It should match the server certificate's issuer hash.
 <code>
 $ openssl x509 -in intermediate1.pem -noout -hash
@@ Line 67: / Line 67: @@
 If there is another intermediate certificate, compare the above issuer hash with its hash and so on. Like this, you crawl up to the root certificate step by step.
-If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de:shibidp3prepare-http#konfiguration|IdP Preparations: HTTPServer]] resp. [[de:shibsp#konfigurationsbeispiel|Shibboleth SP configuration example]].
+If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de:shibidp3prepare-http#konfiguration|IdP Preparations: HTTPServer]] resp. [[de:shibsp#konfigurationsbeispiel|Shibboleth SP configuration example]]).
 Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL:
@@ Line 73: / Line 73: @@
 $ openssl s_client -connect idp.domain.tld:443
 </code>
-Below you can the answer of dfn.de's webserver as an example. As an alternative you can use external services, e.g. the  [[https://www.ssllabs.com/ssltest/|SSLLabs]] website.
+Below you can see the answer of dfn.de's webserver as an example. As an alternative you can use external services, e.g. the [[https://www.ssllabs.com/ssltest/|SSLLabs]] website.
 **Next step:** [[en:functionaltest|Functional Tests]]