Versions Compared

Old Version 17

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip
When you're done with this primer, read the topic on Shibboleth IdP Keys and Certificates.

Terminology

...

Code Block
languagebash
titleCreate a private key and certificate
# change these values as needed
$ OUT_DIR=/tmp/credentials
$ LIFETIME=3650 # 10 yrs

# normally, only a back-channel TLS certificate needs a subject name
# but it doesn't hurt to add this to a signing or encryption certificate
$ SUBJECT_NAME='/CN=hostname.example.org'
$ LIFETIME=3650 
# 10 yrs 
# create a 2048-bit key with long-lived, self-signed certificate
$ /usr/bin/openssl req -new -x509 -nodes \
    -newkey rsa:2048 -keyout $OUT_DIR/key.pem \
    -days $LIFETIME -subj $SUBJECT_NAME -out $OUT_DIR/cert.pem

...

Finally, bind the above certificate to an <md:KeyDescriptor>KeyDescriptor use="signing"> element in SAML metadata:

Code Block
languagexml
titleA KeyDescriptor of type "signing"
<md:KeyDescriptor use=”signing”>
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>
MIIDQjCCAiqgAwIBAgIJAJK/dZim7SJMMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
BAMTFGhvc3RuYW1lLmV4YW1wbGUub3JnMB4XDTE2MDYwNDIyNDIzM1oXDTI2MDYw
MjIyNDIzM1owHzEdMBsGA1UEAxMUaG9zdG5hbWUuZXhhbXBsZS5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdqejAit5mKbG/8f+ubyAkYU7kY3cj
WI1qX3+L1la0Gj7LYczMpvSRZFzY9cz3aHSxJF7HrB4YEoMmAffPyrKk2u7YPs8D
ud66hJzI4QLPXEGsg+XiQI7cgOZsGUTunGKA+TD3Jbh20bXA+0FjbwnDICFf9Zrp
U4bn8U283W+sLGlt9DQ6jlIFk3BgyDdSX5DmR63977JCopSgvMFl9MMBFw4DThrS
ewJHrQjKVAaTx+3SAb0Ayn2Ou71fbbhnOUCmuz1aeTeiSknB7EEuUcU549RMUFby
l3c+7Wh3hy/Aqr1fYuSzyGPo57WdG7yu2ql+Nt4z8q6PBAfe6NllINdFAgMBAAGj
gYAwfjAdBgNVHQ4EFgQUNt+dARTHJeFvvvepv5KT2hd2Ph4wTwYDVR0jBEgwRoAU
Nt+dARTHJeFvvvepv5KT2hd2Ph6hI6QhMB8xHTAbBgNVBAMTFGhvc3RuYW1lLmV4
YW1wbGUub3JnggkAkr91mKbtIkwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOCAQEAhdE0Z0acuDIV4Lt4+yNTWYt7nXGg32IXX2eX8FF2pXlcw1aDUb+K9hp0
hksx/aL06vlUV13q956p7sR5DjPX69lmfhITh8GCq4HGJJeOoXTHLh1wTmPW1wxE
ZaK9Rqo1qNzjUaOEUNBQrrCOfjIVjIhoNVkKuAnmYPUC91DqV409RY3DwYxUJ0u4
wFi2LajIvGzObKt3GrXc5l2s1uUftW0XnHBF5y+GPXKqeF2rvfl5891vFQsWGMRr
gQRiE3Y2r7kChNE5dju9Okoz+ZdD3K5ScbfnwQKgwgNP/x7WEiVX31h5lB7DCMO2
/rlpQxRvThyojO1B3PyyTnU6IGdRnQ==
      </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>

The above certificate above is either a signing certificate or a back-channel TLS certificate (or both).