Custom certificates for IDP

Peter Schober peter.schober at
Mon May 18 10:03:39 EDT 2015

* Andranik Hayrapetyan <andranik.h89 at> [2015-05-18 15:43]:
> Is there a way to install Shibboleth IDP 3.1.1 with custom certificate and
> key? Or I have to install and than change them manually?

Certificates for what, specifically?

* TLS/SSL for the webserver? This has nothing to do with Shibboleth
and you can do whatever oyu want here, keeping in minf that all your
subject's browsers should be able to trust your IDP's web server.

* For securiting SAML protocol messages the IDP installer generates a
self-issued key pair for you, so that you don't have to. That's the
recommended way to deploy SAML but may not work in all cases (e.g. if
you're working with a Federation they may have requirements on the

And what is a "custom certificate"? All certificates anywhere should
be specific to the system (TLS webserver just like "trust fabric"
keys), so there should never be anything else than "custom"
There certainly aren't any default certificates in use anywhere here.

> P.S. any documentation about this will be useful, because I am not
> strong at certificate staff.

Basically for the former (TLS web server) this is not an issue for
Shibbolth to document, check your web server's documentation.

For the latter ("trust fabric" keys, for securing SAML protcol
messages) you shouldn't have to do anything and the installer should
Do The Right Thing.
If that doesn't meet some specific requirements the origin of those
requirements should be able to tell give you specifics.

More information about the users mailing list