The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPPKIXValidationInfo

Owned by Former user (Deleted)
Last updated: Jun 03, 2008Version comment
2 min read

Define New PKIX Validation Information

PKIX validation information is used to when performing PKIX validation on X.509 certificates. The PKIX validation information represents a trusted set of material (trusted CAs, CRLs, verification depths) within the IdP from which other trust can be derived. There are two ways to define validation information, depending on where the trust material is resident.

Filesystem Validation Information

This validation information deceleration is used when the validation information is resident on the local filesystem in either a PEM or DER encoded file.

This validation information is defined by the element <ValidationInfo xsi:type="PKIXFilesystem"> with the require attribute:

  • id - provides a unique ID for the validation information set

the following optional attribute:

  • verifyDepth - the maximum path depth of the PKIX certificate path; default: 1

and the following elements (each of these elements may occur more than once, but must occur in the ordered listed):

  • <Certificate> - path to the PEM or DER encoded certificate
  • <CRL> - path to the PEM or DER encoded CRL
Example Filesystem PKIX Validation Information
<ValidationInfo verifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
    <Certificate>/path/to/trusted/cert1</Certificate>
    <Certificate>/path/to/trusted/cert2</Certificate>
    <CRL>/path/to/trusted/crl</CRL>
</ValidationInfo>

Inline Validation Information

This validation information deceleration is used when the validation information is declared inline, that is as content of the configuration elements described below.

This validation information is defined by the element <ValidationInfo xsi:type="PKIXInline"> with the require attribute:

  • id - provides a unique ID for the validation information set

the following optional attribute:

  • verifyDepth - the maximum path depth of the PKIX certificate path; default: 1

and the following elements (each of these elements may occur more than once, but must occur in the ordered listed):

  • <Certificate> - PEM encoded certificate
  • <CRL> - PEM encoded CRL
Example Inline PKIX Validation Information
<ValidationInfo verifyDepth="5" xsi:type="PKIXInline" xmlns="urn:mace:shibboleth:2.0:security">
    <Certificate>... PEM ENCODED CERT ...</Certificate>
    <Certificate>... PEM ENCODED CERT ...</Certificate>
    <CRL>... PEM ENCODED CRL ...</CRL>
</ValidationInfo>