Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:certificates [2022/12/01 15:32] – Wolfgang Pempe | en:certificates [2023/01/06 14:31] – Wolfgang Pempe | ||
---|---|---|---|
Line 11: | Line 11: | ||
==== Information for Service Providers ==== | ==== Information for Service Providers ==== | ||
All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, | All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, | ||
+ | |||
+ | \\ | ||
=== DFN-PKI Certificates === | === DFN-PKI Certificates === | ||
For SAML-based communication, | For SAML-based communication, | ||
+ | |||
+ | \\ | ||
=== Common Trusted CA Certificates === | === Common Trusted CA Certificates === | ||
You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an " | You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an " | ||
+ | |||
+ | \\ | ||
=== Own/Local CA === | === Own/Local CA === | ||
- | For institutions/ | + | For certificates from a local CA the same rules apply as for self-signed |
- | **Note:** If required, local CAs can also be hosted by the DFN-PCA (contact: https://www.pki.dfn.de/ | + | |
- | **Important: | + | \\ |
- | A good guide to operating your own CA can be found [[https:// | + | |
- | Parameters to be considered: | + | |
- | * Root Private Key: RSA, 4096 Bit | + | |
- | * Validity of the root certificate: | + | |
- | * Validity of the issued certificates: | + | |
- | * Key length of the issued certificates: | + | |
- | * Signature algorithm: sha256 | + | |
- | * The CN of the issued certificate corresponds to the FQDN of the respective IdP/SP host. | + | |
=== Self-signed Certificates === | === Self-signed Certificates === | ||
Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https:// | Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https:// | ||
+ | |||
+ | \\ | ||
<callout color="# | <callout color="# |