Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
en:certificates [2022/12/01 15:32] Wolfgang Pempeen:certificates [2023/01/06 14:31] Wolfgang Pempe
Line 11: Line 11:
 ==== Information for Service Providers ==== ==== Information for Service Providers ====
 All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]). All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]).
 +
 +\\
  
 === DFN-PKI Certificates === === DFN-PKI Certificates ===
 For SAML-based communication, 3-year valid certificates from the [[https://www.pki.dfn.de/dfn-verein-community-pki|DFN-Verein Community PKI]] are recommended. If you are entitled to request certificates issued by DFN-PKI, please select the "Shibboleth IdP SP" profile when submitting your CSR. Upload the server certificate in the metadata administration tool. For SAML-based communication, 3-year valid certificates from the [[https://www.pki.dfn.de/dfn-verein-community-pki|DFN-Verein Community PKI]] are recommended. If you are entitled to request certificates issued by DFN-PKI, please select the "Shibboleth IdP SP" profile when submitting your CSR. Upload the server certificate in the metadata administration tool.
 +
 +\\
  
 === Common Trusted CA Certificates === === Common Trusted CA Certificates ===
 You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]].  You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]]. 
 +
 +\\
  
 === Own/Local CA === === Own/Local CA ===
-For institutions/organisations participating in the DFN-AAI that operate larger, two- to three-digit number of entities (e.g. local SPs) in the DFN-AAI, it may be an option to set up a local CA to issue certificates for SAML-based communication. \\ +For certificates from a local CA the same rules apply as for self-signed certificates, see below
-**Note:** If requiredlocal CAs can also be hosted by the DFN-PCA (contact: https://www.pki.dfn.de/pkikontakt/). \\ + 
-**Important:** A local CA must be operated with great care! In particular, it must be ensured that the private key, which is used to sign the certificates to be issued, is particularly well protected! \\ +\\
-A good guide to operating your own CA can be found [[https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server|here]]. \\ +
-Parameters to be considered: +
-  * Root Private Key: RSA, 4096 Bit +
-  * Validity of the root certificate: 20 years (recommended) +
-  * Validity of the issued certificates: max. 39 months +
-  * Key length of the issued certificates: 4096 bit +
-  * Signature algorithm: sha256 +
-  * The CN of the issued certificate corresponds to the FQDN of the respective IdP/SP host.+
  
 === Self-signed Certificates === === Self-signed Certificates ===
 Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https://www.switch.ch/aai/guides/sp/configuration/#4|SWITCHaai]]. Please note that the period of validity must be set at 3 years or a maximum of 39 months (keygen tool: ''-y 3'', openssl: ''-days 1170'').  Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https://www.switch.ch/aai/guides/sp/configuration/#4|SWITCHaai]]. Please note that the period of validity must be set at 3 years or a maximum of 39 months (keygen tool: ''-y 3'', openssl: ''-days 1170''). 
 +
 +\\
  
 <callout color="#ff9900" title="Exceptions"> <callout color="#ff9900" title="Exceptions">
  • Last modified: 17 months ago