Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
en:certificates [2019/07/25 08:42] Wolfgang Pempeen:certificates [2019/09/12 11:16] Silke Meyer
Line 39: Line 39:
 == Letsencrypt == == Letsencrypt ==
 We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.)  We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.) 
- 
-=== Certificate rollover === 
-Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.) 
  
 **Next step:** [[en:functionaltest|Functional Tests]] **Next step:** [[en:functionaltest|Functional Tests]]
  
-==== Certificate / Key Rollover ==== +==== Certificate / Key Rollover (SP) ==== 
-For an example of a key rollover procedure please refer to the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]]. \\ + 
-The documentation provided by SWITCH is a bit more detailed: https://www.switch.ch/aai/guides/sp/certificate-rollover/+Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.) There is also some documentation in the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]].
  
 ===== The SSL certificate chain on your webserver ===== ===== The SSL certificate chain on your webserver =====
  • Last modified: 14 months ago