SP CredentialResolver locally signed SSL certificate

Tom Noonan tom at joinroot.com
Wed Feb 28 16:18:58 EST 2018

Thanks.  So making sure I'm understanding things right:

- If no TrustEngine is specified the ExplicitKey engine is tried, and then
the PKIX engine (https://wiki.shibboleth.net/confluence/display/SHIB2/
- The CredentialResolver config is used by the StaticPKIX engine.

I'm still not clear on how the CredentialResolver certificate is used.
This is just academic for me at this point, though, as after reading these
docs I verified that the ExplicitKey is the trust engine I should use, so
I've removed the cert in question from my config.

--Tom Noonan II

On Tue, Feb 27, 2018 at 12:17 PM, Peter Schober <peter.schober at univie.ac.at>

> * Tom Noonan <tom at joinroot.com> [2018-02-27 17:14]:
> > I'm currently using a self-signed certificate for the SP Credential
> > resolver, by config for this is same as the example:
> >
> > <CredentialResolver type="File" key="/etc/shibboleth/sp.key"
> > certificate="/etc/shibboleth/sp.crt"/>
> >
> > This works fine, I have no login errors.  However, I'm not clear on how
> > this certificate is used.  Am I opening myself up to spoofing attacks by
> > using a self-signed certificate for this?
> See
> https://wiki.shibboleth.net/confluence/display/CONCEPT/TrustManagement
> esp. "Inline / Explicit Key Trust Engine"
> The formal write-up of this can be found here:
> https://wiki.oasis-open.org/security/SAML2MetadataIOP
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180228/cf1b6815/attachment.html>

More information about the users mailing list