Using Two Credential's in relying-party.xml

Cantor, Scott cantor.2 at
Wed Jan 25 16:24:03 GMT 2012

> I'm looking to use two separate certificates in the IDP metadata (one signing
> the other encryption).
> Do both of these certificates have to come from the same private key?

Certificates are like projections of public key credentials, they have nothing to do with the actual signing or encryption function. You aren't defining certificates, you're defining key pairs and certifcates that perform a function and are communicated to a peer in hinting structures like KeyInfo to identify the key. What certificate is used depends on the trust model in use and other factors.

But the IdP doesn't support decryption, so there is no support for an encryption credential. It might be config-legal, but won't do anything for you. It will be ignored AFAIK.

The multiple credential support is designed for handling different signing keys or certificates (that is, different projections of a given key) to different peers.

> Is it possible to use certificates from different private keys (ie singing from
> one private key, encryption from another private key)?

The whole point of dedicated key use is to use separate keys.

-- Scott

More information about the users mailing list