Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
en:certificates [2019/07/24 12:53] – [Information for Service Providers] Wolfgang Pempeen:certificates [2019/07/25 08:43] – [Certificate / Key Rollover] Wolfgang Pempe
Line 10: Line 10:
  
 ==== Information for Service Providers ==== ==== Information for Service Providers ====
-All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[https://wiki.aai.dfn.de/de:shibsp|Shibboleth SP (de)]]).+All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]).
  
 === DFN-PKI Certificates === === DFN-PKI Certificates ===
Line 17: Line 17:
  
 === Common Trusted CA Certificates === === Common Trusted CA Certificates ===
-You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[mailto:hotline@aai.dfn.de|helpdesk]]. +You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]]. 
  
 === Self-signed Certificates === === Self-signed Certificates ===
Line 27: Line 27:
 $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem
 </code> </code>
-  * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]].+  * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[hotline@aai.dfn.de|hotline@aai.dfn.de]].
  
 <callout type="danger" title="Exceptions"> <callout type="danger" title="Exceptions">
Line 44: Line 44:
  
 **Next step:** [[en:functionaltest|Functional Tests]] **Next step:** [[en:functionaltest|Functional Tests]]
 +
 +==== Certificate / Key Rollover (SP) ====
 +For an example of a key rollover procedure please refer to the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]]. \\
 +The documentation provided by SWITCH is a bit more detailed: https://www.switch.ch/aai/guides/sp/certificate-rollover/
  
 ===== The SSL certificate chain on your webserver ===== ===== The SSL certificate chain on your webserver =====
  • Last modified: 15 months ago