Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:certificates [2019/07/25 08:43]
Wolfgang Pempe [Certificate / Key Rollover]
en:certificates [2019/09/12 11:16] (current)
Silke Meyer
Line 39: Line 39:
 == Letsencrypt == == Letsencrypt ==
 We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates,​ that is obviously no problem.) ​ We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates,​ that is obviously no problem.) ​
- 
-=== Certificate rollover === 
-Whenever you switch to a new certificate,​ both the old and the new one are temporarily part of the federation'​s metadata. We recommend the documentation of [[https://​www.switch.ch/​aai/​support/​certificates/​certificate-migration/​|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate,​ replace their referrals to self-signed certificates with the DFN-PKI certificate.) 
  
 **Next step:** [[en:​functionaltest|Functional Tests]] **Next step:** [[en:​functionaltest|Functional Tests]]
  
 ==== Certificate / Key Rollover (SP) ==== ==== Certificate / Key Rollover (SP) ====
-For an example ​of a key rollover procedure please refer to the [[https://​wiki.shibboleth.net/​confluence/​display/​SP3/​Multiple+Credentials#​MultipleCredentials-KeyRollover|Shibboleth Wiki]]. ​\\ + 
-The documentation provided by SWITCH is a bit more detailed: https://​www.switch.ch/​aai/​guides/​sp/​certificate-rollover/​+Whenever you switch to a new certificate,​ both the old and the new one are temporarily part of the federation'​s metadata. We recommend the documentation of [[https://​www.switch.ch/​aai/​support/​certificates/​certificate-migration/​|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait whole day as the distribution of metadata ​to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate,​ replace their referrals to self-signed certificates with the DFN-PKI certificate.) There is also some documentation in the [[https://​wiki.shibboleth.net/​confluence/​display/​SP3/​Multiple+Credentials#​MultipleCredentials-KeyRollover|Shibboleth Wiki]].
  
 ===== The SSL certificate chain on your webserver ===== ===== The SSL certificate chain on your webserver =====
  • Last modified: 6 weeks ago