Removing Certs from Metadata

Chad La Joie lajoie at
Mon Nov 28 14:00:40 GMT 2011

I still don't understand the issue.  Certificates are the *public*
part of your keypair.  There is no danger to having them accesible to

Additionally, usually metadata isn't in version control unless your
metadata management process puts it there.  If that's the case, you
probably do want to have the certs in there so you can track when a
cert, associated with a given entity, changed.

On Mon, Nov 28, 2011 at 08:57, Zmuda, Matthew R <Matthew.R.Zmuda at> wrote:
> I suppose I may be misunderstanding something.
> The issue I have is that we don't want to have the production certs sitting around in source control... or having developers have access to the production certs/metadata.
> How would a production deployment happen then? I suppose we would deploy out application without the ipd metadata then manually add it after.
> Matthew Zmuda | IT Solutions Developer
> DCTS - Online Channels - Authentication and Security
> P: 519-667-6052 | F: 519-667-6917
> -----Original Message-----
> From: users-bounces at [mailto:users-bounces at] On Behalf Of Tom Scavo
> Sent: Monday, November 28, 2011 8:49 AM
> To: Shib Users
> Subject: Re: Removing Certs from Metadata
> On Mon, Nov 28, 2011 at 8:43 AM, Zmuda, Matthew R
> <Matthew.R.Zmuda at> wrote:
>> What are my options for removing the inline = X509Certificate from IDP
>> metadata?
>> I looked through the schema's and didn't notice any ways to load from file,
>> or some other way so I don't have to use inline certs in metadata.
> The trusted certificates in metadata are meant to be used in
> cross-domain fashion so accessing them from the file system is not an
> option. I think you're misunderstanding the uses of certificates in
> metadata.
> Tom
> --
> To unsubscribe from this list send an email to users-unsubscribe at
> NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to for instructions.
> AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au pour des instructions.
> --
> To unsubscribe from this list send an email to users-unsubscribe at

Chad La Joie
trusted identities, delivered

More information about the users mailing list