Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:certificates [2019/09/12 11:16] Silke Meyeren:certificates [2023/02/01 17:42] (current) Wolfgang Pempe
Line 7: Line 7:
 **The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation! **The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation!
 ==== Information for Identity Providers / Attribute Authorities ==== ==== Information for Identity Providers / Attribute Authorities ====
-Cf. [[de:shibidp3prepare-zert#dfn-pki-zertifikate|Vorbereitung: Zertifikate]]+Cf. [[de:shibidp:prepare-zert|Vorbereitung: Zertifikate]]
  
 ==== Information for Service Providers ==== ==== Information for Service Providers ====
 All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]). All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]).
 +
 +\\
  
 === DFN-PKI Certificates === === DFN-PKI Certificates ===
-For general informationplease refer to https://www.pki.dfn.de/dfn-aai-zertifikate/ \\ +For SAML-based communication3-year valid certificates from the [[https://www.pki.dfn.de/dfn-verein-community-pki|DFN-Verein Community PKI]] are recommended. If you are entitled to request certificates issued by DFN-PKI, please select the "Shibboleth IdP SP" profile when submitting your CSR. Upload the server certificate in the metadata administration tool. 
-If you are entitled to request certificates issued by DFN-PKI, please select the "Shibboleth IdP SP" profile when submitting your CSR. Upload the server certificate in the metadata administration tool.+ 
 +\\
  
 === Common Trusted CA Certificates === === Common Trusted CA Certificates ===
-You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]]. +You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]].  
 + 
 +\\ 
 + 
 +=== Be careful with wildcard certificates! === 
 + 
 +Since wildcard certificates are valid for an entire subdomain and can therefore be used for several entities at the same time, the potential damage in the event of a compromise of the private key is significantly higher than with certificates for precisely specified FQDNs. Therefore, wildcard certificates should only be used in the DFN-AAI if the usage scenario technically requires it. For example, there are software systems, especially in the library context, which dynamically generate host names and which do not work with conventional certificates. Examples of such software: EZProxy, Netman/HAN. 
 +\\ 
 +One and the same wildcard certificate should not be used on different servers with different services, purposes or protection classes. Due to the higher potential for damage in the event of compromise, wildcard certificates are not a proven means of saving work when applying for and deploying certificates. \\ 
 + 
 +Wildcard certificates are therefore only accepted in the DFN-AAI below sub-domains or second-level domains that are used exclusively for a clearly defined purpose, e.g. for ''"*.ub.uni-example.de"'' or for ''"*.medizin.uni-example.de"'', but not for ''"*.uni-example.de"''
 + 
 + 
 + 
 + 
 +\\ 
 + 
 +=== Own/Local CA === 
 +For certificates from a local CA the same rules apply as for self-signed certificates, see below. 
 + 
 +\\
  
 === Self-signed Certificates === === Self-signed Certificates ===
-Self-signed certificates may be used as well if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https://www.switch.ch/aai/guides/sp/configuration/#4|SWITCHaai]]. Before joining the DFN-AAI production federation, self-signed certificates have to be verified by the DFN-AAI operations team. For this purpose, the following options are available after you uploaded your certificate in the metadata administration tool: +Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https://www.switch.ch/aai/guides/sp/configuration/#4|SWITCHaai]]. Please note that the period of validity must be set at 3 years or a maximum of 39 months (keygen tool: ''-y 3'', openssl: ''-days 1170'').  
-  * Please offer us a possibility to download the certificate via https (e.g. via your SPs metadata handler or a download link to the file on your webserver). The SSL connection to the webserver has to be secured by a trusted CA certificate. + 
-  * If you do not have the possibility to send us a download link, we can compare the certificate's fingerprint via fax to +49-711-63314-133 (caller-ID must be transmitted!) or telephone (we'll call you on a publicly known number). Here is how you find out the fingerprints: +\\
-<code> +
-$ openssl x509 -noout -fingerprint -sha1 -in self-signed-server-cert.pem +
-openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem +
-</code> +
-  * As a third option, you can send us the certificate in an S/MIME-signed (signing cert form a well known CA) email to [[hotline@aai.dfn.de|hotline@aai.dfn.de]].+
  
-<callout type="danger" title="Exceptions">+<callout color="#ff9900" title="Exceptions">
 **As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]]. **As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]].
 </callout> </callout>
Line 44: Line 62:
 ==== Certificate / Key Rollover (SP) ==== ==== Certificate / Key Rollover (SP) ====
  
-Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of [[https://www.switch.ch/aai/support/certificates/certificate-migration/|SWITCHaai]](When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate.There is also some documentation in the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]].+Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of SWITCHaai: 
 +  * [[https://www.switch.ch/aai/guides/idp/certificate-rollover/|Shibboleth IdP, Step 0]] (Important: Tomcat User must have read access both on the private key and the certificate) 
 +  * [[https://www.switch.ch/aai/guides/sp/certificate-rollover/|Shibboleth SP, Step 0]] 
 +  * [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|OpenSSL]] 
 +Note: When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate. There is also some documentation in the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]].
  
 ===== The SSL certificate chain on your webserver ===== ===== The SSL certificate chain on your webserver =====
Line 75: Line 97:
 If there is another intermediate certificate, compare the above issuer hash with its hash and so on. Like this, you crawl up to the root certificate step by step. If there is another intermediate certificate, compare the above issuer hash with its hash and so on. Like this, you crawl up to the root certificate step by step.
  
-If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de:shibidp3prepare-http#konfiguration|IdP Preparations: HTTPServer]] resp. [[de:shibsp#konfigurationsbeispiel|Shibboleth SP configuration example]]).+If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de:shibidp:prepare-http#vhost-konfiguration|IdP Preparations: Webserver]] (de) resp. [[de:shibsp#konfigurationsbeispiel|Shibboleth SP configuration example]]).
  
 Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL: Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL:
  • Last modified: 5 years ago