Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:certificates [2019/07/25 08:42]
Wolfgang Pempe
en:certificates [2019/09/12 11:16] (current)
Silke Meyer
Line 39: Line 39:
 == Letsencrypt == == Letsencrypt ==
 We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.)  We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.) 
- 
-=== Certificate rollover === 
-Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.) 
  
 **Next step:** [[en:functionaltest|Functional Tests]] **Next step:** [[en:functionaltest|Functional Tests]]
  
-===== Certificate / Key Rollover ===== +==== Certificate / Key Rollover (SP) ==== 
-For an example of a key rollover procedure please refer to the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]]. \\ + 
-The documentation provided by SWITCH is a bit more detailed: https://www.switch.ch/aai/guides/sp/certificate-rollover/+Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]]. (When their documentation tells you to wait two hours, you should wait whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.) There is also some documentation in the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]].
  
 ===== The SSL certificate chain on your webserver ===== ===== The SSL certificate chain on your webserver =====
  • Last modified: 17 months ago