...
use(one of "signing", "encryption", or "TLS")- Optional setting that limits the application of the credential to the designated purpose. Note that "signing" implies "TLS" (it's a superset).
Version 2.1 and Above
keyInfoMask(integer bitmask) (defaults to 15) (Version 2.1 and Above)- Optional bitmask controlling the content of generated KeyInfo information. By default, various combinations of the key value, name(s), X.509 certificate, and X.509 subject name are included. Certificate issuer and serial number are not, because of known bugs in non-Shibboleth software. The actual output in any given case depends on the underlying implementation.
extractNames(boolean) (defaults to true) (Version 2.3.1 and Above)- Optional flag to disable the default extraction of "key names" based on the supplied certificate. Allows deployer to maximize control over the exact names, if any, that will be available to match against a compared key in a signature or encrypted key block. Normally left on except in specialized cases.
Child Elements
<Key>- References a private key. The following attributes and elements can appear in it:
password(string)- Optional password for decrypting the private key.
format("PEM", "DER", or "PKCS12")- Optional indicator of key file format. Will be auto-detected in most cases.
<Path>- Element containing pathname of key file. Required prior to version 2.2.
<Name>(zero or more)- Attaches an "alias" to the key to allow for selection of the key based on its name. Also adds the name to the
<ds:KeyInfo>element included in XML messages to assist relying parties in identifying which key was used.
- Attaches an "alias" to the key to allow for selection of the key based on its name. Also adds the name to the
- References a private key. The following attributes and elements can appear in it:
...