Custom certificates for IDP
andranik.h89 at gmail.com
Mon May 18 15:50:20 EDT 2015
Thank you very much for information. It was very helpful! Actually for now
I needed only certificates for webserver and I configured it.
On Mon, May 18, 2015 at 6:03 PM, Peter Schober <peter.schober at univie.ac.at>
> * Andranik Hayrapetyan <andranik.h89 at gmail.com> [2015-05-18 15:43]:
> > Is there a way to install Shibboleth IDP 3.1.1 with custom certificate
> > key? Or I have to install and than change them manually?
> Certificates for what, specifically?
> * TLS/SSL for the webserver? This has nothing to do with Shibboleth
> and you can do whatever oyu want here, keeping in minf that all your
> subject's browsers should be able to trust your IDP's web server.
> * For securiting SAML protocol messages the IDP installer generates a
> self-issued key pair for you, so that you don't have to. That's the
> recommended way to deploy SAML but may not work in all cases (e.g. if
> you're working with a Federation they may have requirements on the
> And what is a "custom certificate"? All certificates anywhere should
> be specific to the system (TLS webserver just like "trust fabric"
> keys), so there should never be anything else than "custom"
> There certainly aren't any default certificates in use anywhere here.
> > P.S. any documentation about this will be useful, because I am not
> > strong at certificate staff.
> Basically for the former (TLS web server) this is not an issue for
> Shibbolth to document, check your web server's documentation.
> For the latter ("trust fabric" keys, for securing SAML protcol
> messages) you shouldn't have to do anything and the installer should
> Do The Right Thing.
> If that doesn't meet some specific requirements the origin of those
> requirements should be able to tell give you specifics.
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users