...
Tip |
---|
When you're done with this primer, read the topic on Shibboleth IdP Keys and Certificates. |
Terminology
...
Code Block | ||||
---|---|---|---|---|
| ||||
# change these values as needed $ OUT_DIR=/tmp/credentials $ LIFETIME=3650 # 10 yrs # normally, only a back-channel TLS certificate needs a subject name # but it doesn't hurt to add this to a signing or encryption certificate $ SUBJECT_NAME='/CN=hostname.example.org' $ LIFETIME=3650 # 10 yrs # create a 2048-bit key with long-lived, self-signed certificate $ /usr/bin/openssl req -new -x509 -nodes \ -newkey rsa:2048 -keyout $OUT_DIR/key.pem \ -days $LIFETIME -subj $SUBJECT_NAME -out $OUT_DIR/cert.pem |
...
Finally, bind the above certificate to an <md:KeyDescriptor>KeyDescriptor use="signing">
element in SAML metadata:
Code Block | ||||
---|---|---|---|---|
| ||||
<md:KeyDescriptor use=”signing”> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDQjCCAiqgAwIBAgIJAJK/dZim7SJMMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV BAMTFGhvc3RuYW1lLmV4YW1wbGUub3JnMB4XDTE2MDYwNDIyNDIzM1oXDTI2MDYw MjIyNDIzM1owHzEdMBsGA1UEAxMUaG9zdG5hbWUuZXhhbXBsZS5vcmcwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdqejAit5mKbG/8f+ubyAkYU7kY3cj WI1qX3+L1la0Gj7LYczMpvSRZFzY9cz3aHSxJF7HrB4YEoMmAffPyrKk2u7YPs8D ud66hJzI4QLPXEGsg+XiQI7cgOZsGUTunGKA+TD3Jbh20bXA+0FjbwnDICFf9Zrp U4bn8U283W+sLGlt9DQ6jlIFk3BgyDdSX5DmR63977JCopSgvMFl9MMBFw4DThrS ewJHrQjKVAaTx+3SAb0Ayn2Ou71fbbhnOUCmuz1aeTeiSknB7EEuUcU549RMUFby l3c+7Wh3hy/Aqr1fYuSzyGPo57WdG7yu2ql+Nt4z8q6PBAfe6NllINdFAgMBAAGj gYAwfjAdBgNVHQ4EFgQUNt+dARTHJeFvvvepv5KT2hd2Ph4wTwYDVR0jBEgwRoAU Nt+dARTHJeFvvvepv5KT2hd2Ph6hI6QhMB8xHTAbBgNVBAMTFGhvc3RuYW1lLmV4 YW1wbGUub3JnggkAkr91mKbtIkwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF AAOCAQEAhdE0Z0acuDIV4Lt4+yNTWYt7nXGg32IXX2eX8FF2pXlcw1aDUb+K9hp0 hksx/aL06vlUV13q956p7sR5DjPX69lmfhITh8GCq4HGJJeOoXTHLh1wTmPW1wxE ZaK9Rqo1qNzjUaOEUNBQrrCOfjIVjIhoNVkKuAnmYPUC91DqV409RY3DwYxUJ0u4 wFi2LajIvGzObKt3GrXc5l2s1uUftW0XnHBF5y+GPXKqeF2rvfl5891vFQsWGMRr gQRiE3Y2r7kChNE5dju9Okoz+ZdD3K5ScbfnwQKgwgNP/x7WEiVX31h5lB7DCMO2 /rlpQxRvThyojO1B3PyyTnU6IGdRnQ== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> |
The above certificate above is either a signing certificate or a back-channel TLS certificate (or both).