Help with StaticPKIX test

[Jonathan Bricker]

I'm trying to set up a StaticPKIX trust engine on our SP.  This is the first time I've done this with Shibboleth.   I'm getting a ProfileException that the signature cannot be verified.  This is all in a sandbox so I have complete control over my setup.

I created my own CA cert via openssl.  I then created new key and cert for my test IDP that was signed by my CA and did a key roll over. I tested vs the SP with just the changed key and it worked.

I set up my SP trust engine like so...

<TrustEngine type="StaticPKIX">
                                <CredentialResolver type="File">
                                                <Certificate format="PEM">
                                                                <Path>/etc/shibboleth/credentials/rootca.pem</Path>
                                                </Certificate>
                                </CredentialResolver>
                </TrustEngine>

One question would be my metadata from the Idp.  I do not see attributes in the KeyDescriptors or KeyInfo tags.  I assume that this is a config problem on the Idp.  How can I make sure that key names from the cert are passed so the PKIX will work?

Thanks,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110907/150196bc/attachment.html