sp key rollover

[Liam Hoekenga]

We're using Canvas.  The cert they're using expires on 4/22, and they've
sent us a new cert.  They do not publish metadata - we've got a local copy.

I'm trying to get key rollover working.  I remember the InCommon federation
migrated from one fed signing cert to another.  This doc suggests it should
be possible for the SP too
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMultipleCredentials

Ideally the metadata would contain both the new and old certs so we don't
need to coordinate a real-time roll over. The metadata already has separate
configuration for the signing and encryption keys (although they are both
the same certificate).

Since the metadata is on the IdP (and not a Shib SP), I've not been able to
follow the wiki instructions exactly:

<CredentialResolver type="Chaining">
     <CredentialResolver type="File" key="new-key.pem"
certificate="new-cert.pem" use="encryption"/>
     <CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
</CredentialResolver>

The metadata should work for a beta site as well as production, but I can
only get encryption working for one SP or the other, not both.  I've tried
a number of things in the SP metadata (rough representations)...

<KeyDescriptor use="encryption">new cert</KeyDescriptor>
<KeyDescriptor use="encryption">old cert</KeyDescriptor>
<KeyDescriptor use="signing">new cert</KeyDescriptor>
<KeyDescriptor use="signing">old cert</KeyDescriptor>

<KeyDescriptor use="encryption">new cert</KeyDescriptor>
<KeyDescriptor>old cert</KeyDescriptor>

<KeyDescriptor>
new cert
old cert
</KeyDescriptor>

...and the reverse of all of them (i.e. old cert, new cert)

Any suggestions?  Rollover suggest to me that they certs should be able to
co-exist..

Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20150417/bc1d0460/attachment.html