Differences

This shows you the differences between two versions of the page.

--- en:certificates [2019/07/11 17:06] – Wolfgang Pempe
+++ en:certificates [2021/01/27 10:24] – Wolfgang Pempe
@@ Line 10: / Line 10: @@
 ==== Information for Service Providers ====
-All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[https://wiki.aai.dfn.de/de:shibsp|Shibboleth SP (de)]]).
+All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]).
 === DFN-PKI Certificates ===
@@ Line 17: / Line 17: @@
 === Common Trusted CA Certificates ===
-You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[mailto:hotline@aai.dfn.de|helpdesk]].
+You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]].
+=== Own/Local CA ===
+For institutions/organisations participating in the DFN-AAI that operate a larger, two- to three-digit number of entities (e.g. local SPs) in the DFN-AAI, it may be an option to set up a local CA to issue certificates for SAML-based communication. In such a case, only the respective root certificate of the CA must be verified by the DFN-AAI team. Verification is carried out in the same way as for self-signed certificates (see below). \\
+**Note:** If required, local CAs can also be hosted by the DFN-PCA (contact: https://www.pki.dfn.de/pkikontakt/). \\
+**Important:** A local CA must be operated with great care! In particular, it must be ensured that the private key, which is used to sign the certificates to be issued, is particularly well protected! \\
+A good guide to operating your own CA can be found [[https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server|here]]. \\
+Parameters to be considered:
+  * Root Private Key: RSA, 4096 Bit
+  * Validity of the root certificate: 20 years (recommended)
+  * Validity of the issued certificates: max. 39 months
+  * Key length of the issued certificates: at least 3072 bit
+  * Signature algorithm: sha256
+  * The CN of the issued certificate corresponds to the FQDN of the respective IdP/SP host.
 === Self-signed Certificates ===
@@ Line 27: / Line 40: @@
 $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem
 </code>
-  * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]].
+  * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[hotline@aai.dfn.de|hotline@aai.dfn.de]].
 <callout type="danger" title="Exceptions">
-**As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[mailto:hotline@aai.dfn.de|helpdesk]].
+**As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]].
 </callout>
@@ Line 39: / Line 52: @@
 == Letsencrypt ==
 We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.)
-=== Certificate rollover ===
-Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.)
 **Next step:** [[en:functionaltest|Functional Tests]]
+==== Certificate / Key Rollover (SP) ====
+Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.) There is also some documentation in the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]].
 ===== The SSL certificate chain on your webserver =====