Help with StaticPKIX test

Jonathan Bricker jbricker at
Wed Sep 7 15:44:46 BST 2011

The problem I'm trying to solve with this is an expired signing cert in the IDP metadata. Because of the setup we have with the metadata from the IDPs, the validUntil attribute did not seem practical (We do not have the SP pull the metadata from the IDPs automatically).
I would be interested in hearing how others have solved this problem.

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Wednesday, September 07, 2011 9:57 AM
To: users at
Subject: Re: Help with StaticPKIX test

On 9/7/11 8:23 AM, "Jonathan Bricker" <jbricker at> wrote:

>I¹m trying to set up a StaticPKIX trust engine on our SP.  This is the
>first time I¹ve done this with Shibboleth.   I¹m getting a
>ProfileException that the signature cannot be verified.  This is all in a
>sandbox so I have complete control over my setup.

The purpose of that trust engine is for verifying metadata, not for SAML
message use.

>One question would be my metadata from the Idp.  I do not see attributes
>in the KeyDescriptors or KeyInfo tags.  I assume that this is a config
>problem on the Idp.  How can I make sure that key names from the cert are
>passed so the PKIX will work?

That trust engine doesn't rely on metadata, which is why it's used for
different things. I don't know offhand how or whether it would work in
other contexts. In principal it would not unless the certificate contained
the entityID of the message issuer in every case.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list