Another day, another attribute

Peter Schober peter.schober at
Fri Nov 23 12:23:41 EST 2012

* Wynne, David <D.Wynne at> [2012-11-23 18:01]:
> On the subject of certificates I've always generated a "self-signed"
> certificate for our Apache webserver as previously it's only been
> used internally. Do I now need to buy a certificate from a root
> signing authority like Verisign for our Apache webserver if we want
> to authenticate with our shibboleth-idp on other Shibboleth SP's
> other than testshib ? The attributes seem to work on testshib but
> other SP's might block them because our Apache cert is untrusted.

Only the subject's HTTP user agent interacts with the webserver and
its TLS/SSL certificate. As such, only the subject's user agent needs
to be able to verify the webserver's certificate.
Technically there's nothing stopping you from using untrusted
certificates on any webserver, including the Shibboleth IdP.

More information about the users mailing list