Define a New Cryptographic Credential
The IdP uses credentials to perform various cryptographic functions (message signing, server/client authenticated TLS connections, encryption, etc.). Credentials are defined in the $IDP_HOME/config/relying-party.xml file and are defined as follows.
If you want to regenerate an IdP's credential, see IdPCertRenew.
Define the Credential
The IdP may have any number of credentials. All credentials are defined after the MetadataProvider
element in the relying-party.xml file.
Like other components in the IdP credentials are defined with a generic element, Credential
, that contains a type identifying attribute. Each Credential
must define an id
attribute, which is used in relying party configurations to refer to the credential, and optionally a usage
attribute, which restricts the usage of the credential, with a value of Encryption or Signing. A Credential
without a usage attribute may be used for either signing (XML digital signatures, SAML simple sign profiles, and TLS connections) or XML encryption.
The following credentials types are currently supported.
Inline X.509 Credential
This credential type allows X.509 credential components to be defined within the various configuration elements themselves in various formats: PEM, DER, PKCS 8 & 12.
Credentials of this type are defined with a Credential
element with the attribute xsi:type="X509Inline"
. The Credential
element may then have some of the following child elements:
- KeyName - A name, or reference, for this credential which may be used in place of the larger expanded form in some use cases. Multiple
KeyName
elements are allowed. - PrivateKey - The private key for the credential; only one
PrivateKey
element is allowed. ThePrivateKey
element may include apassword
attribute with the decryption password for the key. - Certificate - The public certificate, or a certificate in the trust chain, for this credential. Each
Certificate
element may contain more than one encoded certificate and more than oneCertificate
element may be used. ACertificate
element may contain theentityCertificate
boolean attribute to indicate that the given certificate is the entity certificate for this credential. - CRL - A CRL for this credential. Multiple
CRL
elements are allowed.
<!-- MetadataProvider element above this point --> <Credential xsi:type="X509Inline" xmlns="urn:mace:shibboleth:2.0:security" id="MyCredential"> <KeyName>key.example.org</KeyName> <PrivateKey password="myKeyPa$$word"> <!-- Some DER, PEM, or PKCS 8 encoded key --> </PrivateKey> <Certificate> <!-- Some DER or PEM encoded cert --> </Certificate> </Credential>
Filesystem X.509 Credential
This credential type allows X.509 credential components, in various formats (PEM, DER, PKCS 8 & 12), to be read from files on the filesystem.
Credentials of this type are defined with a Credential
element with the attribute xsi:type="X509Filesystem"
. The Credential
element may then have the some of the following child elements:
- KeyName - A name, or reference, for this credential which may be used in place of the larger expanded form in some use cases. Multiple
KeyName
elements are allowed. - PrivateKey - The private key file for the credential; only one
PrivateKey
element is allowed. ThePrivateKey
element may include apassword
attribute with the decryption password for the key. - Certificate - A public certificate file, or a certificate in the trust chain, for this credential. Each
Certificate
element may contain more than one encoded certificate and more than oneCertificate
element may be used. ACertificate
element may contain theentityCertificate
boolean attribute to indicate that the given certificate is the entity certificate for this credential. - CRL - A CRL file for this credential. Multiple
CRL
elements are allowed.
<!-- MetadataProvider element above this point --> <Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security" id="MyCredential"> <KeyName>key.example.org</KeyName> <PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey> <Certificate>/path/to/my/public.crt</Certificate> </Credential>