Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:certificates [2021/07/14 09:39] – [Information for Service Providers] Silke Meyer | en:certificates [2022/12/01 15:32] – Wolfgang Pempe | ||
---|---|---|---|
Line 7: | Line 7: | ||
**The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation! | **The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation! | ||
==== Information for Identity Providers / Attribute Authorities ==== | ==== Information for Identity Providers / Attribute Authorities ==== | ||
- | Cf. [[de:shibidp3prepare-zert# | + | Cf. [[de:shibidp: |
==== Information for Service Providers ==== | ==== Information for Service Providers ==== | ||
Line 13: | Line 13: | ||
=== DFN-PKI Certificates === | === DFN-PKI Certificates === | ||
- | For general information, please refer to https:// | + | For SAML-based communication, 3-year valid certificates from the [[https:// |
- | If you are entitled to request certificates issued by DFN-PKI, please select the " | + | |
=== Common Trusted CA Certificates === | === Common Trusted CA Certificates === | ||
Line 20: | Line 19: | ||
=== Own/Local CA === | === Own/Local CA === | ||
- | For institutions/ | + | For institutions/ |
**Note:** If required, local CAs can also be hosted by the DFN-PCA (contact: https:// | **Note:** If required, local CAs can also be hosted by the DFN-PCA (contact: https:// | ||
**Important: | **Important: | ||
Line 28: | Line 27: | ||
* Validity of the root certificate: | * Validity of the root certificate: | ||
* Validity of the issued certificates: | * Validity of the issued certificates: | ||
- | * Key length of the issued certificates: | + | * Key length of the issued certificates: |
* Signature algorithm: sha256 | * Signature algorithm: sha256 | ||
* The CN of the issued certificate corresponds to the FQDN of the respective IdP/SP host. | * The CN of the issued certificate corresponds to the FQDN of the respective IdP/SP host. | ||
=== Self-signed Certificates === | === Self-signed Certificates === | ||
- | Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https:// | + | Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https:// |
- | * Send us the certificate in an S/ | + | |
- | * An alternative way is to offer us a possibility to download the certificate via https (e.g. via your SPs metadata handler | + | |
- | * If none of these options works for you, please get in touch with us (+49 30 884299-9124, [[hotline@aai.dfn.de|hotline@aai.dfn.de]]). | + | |
- | < | + | < |
**As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]]. | **As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]]. | ||
</ | </ | ||
Line 88: | Line 84: | ||
If there is another intermediate certificate, | If there is another intermediate certificate, | ||
- | If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de:shibidp3prepare-http# | + | If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de:shibidp: |
Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL: | Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL: |