Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:certificates [2019/07/11 17:06] – Wolfgang Pempe | en:certificates [2019/09/12 11:16] – Silke Meyer | ||
---|---|---|---|
Line 10: | Line 10: | ||
==== Information for Service Providers ==== | ==== Information for Service Providers ==== | ||
- | All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, | + | All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, |
=== DFN-PKI Certificates === | === DFN-PKI Certificates === | ||
Line 17: | Line 17: | ||
=== Common Trusted CA Certificates === | === Common Trusted CA Certificates === | ||
- | You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an " | + | You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an " |
=== Self-signed Certificates === | === Self-signed Certificates === | ||
Line 27: | Line 27: | ||
$ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem | $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem | ||
</ | </ | ||
- | * As a third option, you can send us the certificate in an S/ | + | * As a third option, you can send us the certificate in an S/ |
<callout type=" | <callout type=" | ||
- | **As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[mailto:hotline@aai.dfn.de|helpdesk]]. | + | **As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]]. |
</ | </ | ||
Line 39: | Line 39: | ||
== Letsencrypt == | == Letsencrypt == | ||
We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, | We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, | ||
- | |||
- | === Certificate rollover === | ||
- | Whenever you switch to a new certificate, | ||
**Next step:** [[en: | **Next step:** [[en: | ||
+ | |||
+ | ==== Certificate / Key Rollover (SP) ==== | ||
+ | |||
+ | Whenever you switch to a new certificate, | ||
===== The SSL certificate chain on your webserver ===== | ===== The SSL certificate chain on your webserver ===== |