Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
en:certificates [2019/07/11 17:06] Wolfgang Pempeen:certificates [2019/09/12 11:16] Silke Meyer
Line 10: Line 10:
  
 ==== Information for Service Providers ==== ==== Information for Service Providers ====
-All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[https://wiki.aai.dfn.de/de:shibsp|Shibboleth SP (de)]]).+All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]).
  
 === DFN-PKI Certificates === === DFN-PKI Certificates ===
Line 17: Line 17:
  
 === Common Trusted CA Certificates === === Common Trusted CA Certificates ===
-You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[mailto:hotline@aai.dfn.de|helpdesk]]. +You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]]. 
  
 === Self-signed Certificates === === Self-signed Certificates ===
Line 27: Line 27:
 $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem
 </code> </code>
-  * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]].+  * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[hotline@aai.dfn.de|hotline@aai.dfn.de]].
  
 <callout type="danger" title="Exceptions"> <callout type="danger" title="Exceptions">
-**As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[mailto:hotline@aai.dfn.de|helpdesk]].+**As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]].
 </callout> </callout>
  
Line 39: Line 39:
 == Letsencrypt == == Letsencrypt ==
 We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.)  We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.) 
- 
-=== Certificate rollover === 
-Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.) 
  
 **Next step:** [[en:functionaltest|Functional Tests]] **Next step:** [[en:functionaltest|Functional Tests]]
 +
 +==== Certificate / Key Rollover (SP) ====
 +
 +Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.) There is also some documentation in the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]].
  
 ===== The SSL certificate chain on your webserver ===== ===== The SSL certificate chain on your webserver =====
  • Last modified: 14 months ago