Versions Compared

Old Version 15

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 16

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The signing KeyDescriptor type corresponds to an <md:KeyDescriptor use=”signing”> element in metadata. The actual certificate contained by this metadata element is used for enables message-level signing (i.e., XML Signature) or back-channel TLS authentication (or both).

...

The encryption KeyDescriptor type corresponds an <md:KeyDescriptor use=”encryption”> element in metadata. The actual certificate contained by this metadata element is used for enables message-level encryption (i.e., XML Encryption).

...

This section shows how to use the openssl command-line tool to create a strong key pair with a long-lived, self-signed certificate.

Warning
titleSecurity Alert!
If the private key created below is intended for a production system, issue the following command directly on the target system (IdP or SP) only. Otherwise remove the -nodes option to enable encryption of the private key. When the -nodes option is removed, the tool will prompt the user for a decryption password.
Code Block
languagebash
titleCreate a private key and certificate
# change these values as needed
$ OUT_DIR=/tmp/credentials
$ SUBJECT_NAME='/CN=hostname.example.org'
$ LIFETIME=3650 # 10 yrs

# create a 2048-bit key with long-lived, self-signed certificate
$ /usr/bin/openssl req -new -x509 -nodes \
    -newkey rsa:2048 -keyout $OUT_DIR/key.pem \
    -days $LIFETIME -subj $SUBJECT_NAME -out $OUT_DIR/cert.pem

...

Use the openssl command-line tool to inspect the certificate created in the previous section. Note that the certificate contains a 2048-bit public key.

Code Block
languagebash
titleInspect the certificate
# inspect the certificate
$ /usr/bin/openssl x509 -text -in $OUT_DIR/cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            92:bf:75:98:a6:ed:22:4c
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=hostname.example.org
        Validity
            Not Before: Jun 4 22:42:33 2016 GMT
            Not After : Jun 2 22:42:33 2026 GMT
        Subject: CN=hostname.example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:dd:a9:e8:c0:8a:de:66:29:b1:bf:f1:ff:ae:6f:
                    20:24:61:4e:e4:63:77:23:58:8d:6a:5f:7f:8b:d6:
                    56:b4:1a:3e:cb:61:cc:cc:a6:f4:91:64:5c:d8:f5:
                    cc:f7:68:74:b1:24:5e:c7:ac:1e:18:12:83:26:01:
                    f7:cf:ca:b2:a4:da:ee:d8:3e:cf:03:b9:de:ba:84:
                    9c:c8:e1:02:cf:5c:41:ac:83:e5:e2:40:8e:dc:80:
                    e6:6c:19:44:ee:9c:62:80:f9:30:f7:25:b8:76:d1:
                    b5:c0:fb:41:63:6f:09:c3:20:21:5f:f5:9a:e9:53:
                    86:e7:f1:4d:bc:dd:6f:ac:2c:69:6d:f4:34:3a:8e:
                    52:05:93:70:60:c8:37:52:5f:90:e6:47:ad:fd:ef:
                    b2:42:a2:94:a0:bc:c1:65:f4:c3:01:17:0e:03:4e:
                    1a:d2:7b:02:47:ad:08:ca:54:06:93:c7:ed:d2:01:
                    bd:00:ca:7d:8e:bb:bd:5f:6d:b8:67:39:40:a6:bb:
                    3d:5a:79:37:a2:4a:49:c1:ec:41:2e:51:c5:39:e3:
                    d4:4c:50:56:f2:97:77:3e:ed:68:77:87:2f:c0:aa:
                    bd:5f:62:e4:b3:c8:63:e8:e7:b5:9d:1b:bc:ae:da:
                    a9:7e:36:de:33:f2:ae:8f:04:07:de:e8:d9:65:20:
                    d7:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                36:DF:9D:01:14:C7:25:E1:6F:BE:F7:A9:BF:92:93:DA:17:76:3E:1E
            X509v3 Authority Key Identifier:
                keyid:36:DF:9D:01:14:C7:25:E1:6F:BE:F7:A9:BF:92:93:DA:17:76:3E:1E
                DirName:/CN=hostname.example.org
                serial:92:BF:75:98:A6:ED:22:4C

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        85:d1:34:67:46:9c:b8:32:15:e0:bb:78:fb:23:53:59:8b:7b:
        9d:71:a0:df:62:17:5f:67:97:f0:51:76:a5:79:5c:c3:56:83:
        51:bf:8a:f6:1a:74:86:4b:31:fd:a2:f4:ea:f9:54:57:5d:ea:
        f7:9e:a9:ee:c4:79:0e:33:d7:eb:d9:66:7e:12:13:87:c1:82:
        ab:81:c6:24:97:8e:a1:74:c7:2e:1d:70:4e:63:d6:d7:0c:44:
        65:a2:bd:46:aa:35:a8:dc:e3:51:a3:84:50:d0:50:ae:b0:8e:
        7e:32:15:8c:88:68:35:59:0a:b8:09:e6:60:f5:02:f7:50:ea:
        57:8d:3d:45:8d:c3:c1:8c:54:27:4b:b8:c0:58:b6:2d:a8:c8:
        bc:6c:ce:6c:ab:77:1a:b5:dc:e6:5d:ac:d6:e5:1f:b5:6d:17:
        9c:70:45:e7:2f:86:3d:72:aa:78:5d:ab:bd:f9:79:f3:dd:6f:
        15:0b:16:18:c4:6b:81:04:62:13:76:36:af:b9:02:84:d1:39:
        76:3b:bd:3a:4a:33:f9:97:43:dc:ae:52:71:b7:e7:c1:02:a0:
        c2:03:4f:ff:1e:d6:12:25:57:df:58:79:94:1e:c3:08:c3:b6:
        fe:b9:69:43:14:6f:4e:1c:a8:8c:ed:41:dc:fc:b2:4e:75:3a:
        20:67:51:9d
-----BEGIN CERTIFICATE-----
MIIDQjCCAiqgAwIBAgIJAJK/dZim7SJMMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
BAMTFGhvc3RuYW1lLmV4YW1wbGUub3JnMB4XDTE2MDYwNDIyNDIzM1oXDTI2MDYw
MjIyNDIzM1owHzEdMBsGA1UEAxMUaG9zdG5hbWUuZXhhbXBsZS5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdqejAit5mKbG/8f+ubyAkYU7kY3cj
WI1qX3+L1la0Gj7LYczMpvSRZFzY9cz3aHSxJF7HrB4YEoMmAffPyrKk2u7YPs8D
ud66hJzI4QLPXEGsg+XiQI7cgOZsGUTunGKA+TD3Jbh20bXA+0FjbwnDICFf9Zrp
U4bn8U283W+sLGlt9DQ6jlIFk3BgyDdSX5DmR63977JCopSgvMFl9MMBFw4DThrS
ewJHrQjKVAaTx+3SAb0Ayn2Ou71fbbhnOUCmuz1aeTeiSknB7EEuUcU549RMUFby
l3c+7Wh3hy/Aqr1fYuSzyGPo57WdG7yu2ql+Nt4z8q6PBAfe6NllINdFAgMBAAGj
gYAwfjAdBgNVHQ4EFgQUNt+dARTHJeFvvvepv5KT2hd2Ph4wTwYDVR0jBEgwRoAU
Nt+dARTHJeFvvvepv5KT2hd2Ph6hI6QhMB8xHTAbBgNVBAMTFGhvc3RuYW1lLmV4
YW1wbGUub3JnggkAkr91mKbtIkwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOCAQEAhdE0Z0acuDIV4Lt4+yNTWYt7nXGg32IXX2eX8FF2pXlcw1aDUb+K9hp0
hksx/aL06vlUV13q956p7sR5DjPX69lmfhITh8GCq4HGJJeOoXTHLh1wTmPW1wxE
ZaK9Rqo1qNzjUaOEUNBQrrCOfjIVjIhoNVkKuAnmYPUC91DqV409RY3DwYxUJ0u4
wFi2LajIvGzObKt3GrXc5l2s1uUftW0XnHBF5y+GPXKqeF2rvfl5891vFQsWGMRr
gQRiE3Y2r7kChNE5dju9Okoz+ZdD3K5ScbfnwQKgwgNP/x7WEiVX31h5lB7DCMO2
/rlpQxRvThyojO1B3PyyTnU6IGdRnQ==
-----END CERTIFICATE-----

...

Finally, bind the above certificate to an <md:KeyDescriptor> element in SAML metadata:

Code Block
languagexml
titleA KeyDescriptor of type "signing"
<md:KeyDescriptor use=”signing”>
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>
MIIDQjCCAiqgAwIBAgIJAJK/dZim7SJMMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
BAMTFGhvc3RuYW1lLmV4YW1wbGUub3JnMB4XDTE2MDYwNDIyNDIzM1oXDTI2MDYw
MjIyNDIzM1owHzEdMBsGA1UEAxMUaG9zdG5hbWUuZXhhbXBsZS5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdqejAit5mKbG/8f+ubyAkYU7kY3cj
WI1qX3+L1la0Gj7LYczMpvSRZFzY9cz3aHSxJF7HrB4YEoMmAffPyrKk2u7YPs8D
ud66hJzI4QLPXEGsg+XiQI7cgOZsGUTunGKA+TD3Jbh20bXA+0FjbwnDICFf9Zrp
U4bn8U283W+sLGlt9DQ6jlIFk3BgyDdSX5DmR63977JCopSgvMFl9MMBFw4DThrS
ewJHrQjKVAaTx+3SAb0Ayn2Ou71fbbhnOUCmuz1aeTeiSknB7EEuUcU549RMUFby
l3c+7Wh3hy/Aqr1fYuSzyGPo57WdG7yu2ql+Nt4z8q6PBAfe6NllINdFAgMBAAGj
gYAwfjAdBgNVHQ4EFgQUNt+dARTHJeFvvvepv5KT2hd2Ph4wTwYDVR0jBEgwRoAU
Nt+dARTHJeFvvvepv5KT2hd2Ph6hI6QhMB8xHTAbBgNVBAMTFGhvc3RuYW1lLmV4
YW1wbGUub3JnggkAkr91mKbtIkwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOCAQEAhdE0Z0acuDIV4Lt4+yNTWYt7nXGg32IXX2eX8FF2pXlcw1aDUb+K9hp0
hksx/aL06vlUV13q956p7sR5DjPX69lmfhITh8GCq4HGJJeOoXTHLh1wTmPW1wxE
ZaK9Rqo1qNzjUaOEUNBQrrCOfjIVjIhoNVkKuAnmYPUC91DqV409RY3DwYxUJ0u4
wFi2LajIvGzObKt3GrXc5l2s1uUftW0XnHBF5y+GPXKqeF2rvfl5891vFQsWGMRr
gQRiE3Y2r7kChNE5dju9Okoz+ZdD3K5ScbfnwQKgwgNP/x7WEiVX31h5lB7DCMO2
/rlpQxRvThyojO1B3PyyTnU6IGdRnQ==
      </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>

The certificate above is either a signing certificate or a back-channel TLS certificate (or both).