Differences

This shows you the differences between two versions of the page.

--- en:certificates [2017/12/04 15:51] – [The SSL certificate chain on your webserver] Silke Meyer
+++ en:certificates [2019/03/21 10:00] – Wolfgang Pempe
@@ Line 2: / Line 2: @@
 In the context of SAML-based communication between IdP and SP, certificates are used for purposes of signature validation and encryption. Those certificates must be registered for the respective entity using the [[en:metadata_admin_tool|metadata administration tool]].
-**The general rule is:** Entities with invalid (that is expired or revoked) certificates are automatically removed from the productive DFN-AAI federation!
+**The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation!
 ===== Information for Identity Providers / Attribute Authorities =====
 Cf. [[de:shibidp3prepare-zert#dfn-pki-zertifikate|Vorbereitung: Zertifikate]]
 ===== Information for Service Providers =====
-All certificates and the respective private keys used for SAML-based communication have to be add to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[https://wiki.aai.dfn.de/de:shibsp|Shibboleth SP (de)]]).
+All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[https://wiki.aai.dfn.de/de:shibsp|Shibboleth SP (de)]]).
 ==== DFN-PKI Certificates ====
@@ Line 13: / Line 13: @@
 ==== Common Trusted CA Certificates ====
-You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[mailto:hotline@aai.dfn.de|helpdesk]].
+You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[mailto:hotline@aai.dfn.de|helpdesk]].
-**Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[mailto:hotline@aai.dfn.de|helpdesk]].
 ==== Self-signed Certificates ====
@@ Line 25: / Line 24: @@
 </code>
   * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]].
+<callout type="danger" title="Exceptions">
+**Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[mailto:hotline@aai.dfn.de|helpdesk]].
+</callout>
 ==== Please avoid the following certificates ====