Re-create Certificates in IdP v3?

[Cantor, Scott]

On 8/28/15, 1:18 PM, "users on behalf of Kevin Ratcliffe" <users-bounces at shibboleth.net on behalf of kev at fukr.org.uk> wrote:

>I've installed IdP v3 in a test environment and just accepted the
>defaults because my Tomcat was initially supposed to be reverse proxied
>by the same host. It is now proxied via a different host so do I now
>need to recreate the certs?

In IdP terms, the only cert in scope of the software that has any sensitivity to a hostname is the one for back-channel use. So if you don't use the backchannel, you can ignore that keypair.

We don't mandate any special tool(s) to manage keypairs and you should use whatever you prefer, but if you want to use the one the installer uses, the bin/keygen.* scripts run the Java class that does that work.

>In IdP v2 I used to use install.sh renew-cert to recreate certs, how is
>this done in IdP v3?

Open source software == open source tools and the most typical one for manipulating keypairs would be openssl. That's definitely what I use.

It's your container that loads the back channel keypair, though, so in point of fact, it's really separate. Jetty and Tomcat both support PKCS12 or Java's JKS keystore format (and neither supports PEM generally), so any tools that can generate one of those formats can be used, and we favor PKCS12 since that's less hassle, works with openssl, etc.

-- Scott