SP CredentialResolver locally signed SSL certificate
Tom Noonan
tom at joinroot.com
Wed Feb 28 16:24:45 EST 2018
Actually, and never mind on how that cert is used. If my curiosity gets
the better of me I'll read more on PKIX.
--Tom Noonan II
On Wed, Feb 28, 2018 at 4:18 PM, Tom Noonan <tom at joinroot.com> wrote:
> Thanks. So making sure I'm understanding things right:
>
> - If no TrustEngine is specified the ExplicitKey engine is tried, and then
> the PKIX engine (https://wiki.shibboleth.net/c
> onfluence/display/SHIB2/NativeSPTrustEngine)
> - The CredentialResolver config is used by the StaticPKIX engine.
>
> I'm still not clear on how the CredentialResolver certificate is used.
> This is just academic for me at this point, though, as after reading these
> docs I verified that the ExplicitKey is the trust engine I should use, so
> I've removed the cert in question from my config.
>
> --Tom Noonan II
>
> On Tue, Feb 27, 2018 at 12:17 PM, Peter Schober <
> peter.schober at univie.ac.at> wrote:
>
>> * Tom Noonan <tom at joinroot.com> [2018-02-27 17:14]:
>> > I'm currently using a self-signed certificate for the SP Credential
>> > resolver, by config for this is same as the example:
>> >
>> > <CredentialResolver type="File" key="/etc/shibboleth/sp.key"
>> > certificate="/etc/shibboleth/sp.crt"/>
>> >
>> > This works fine, I have no login errors. However, I'm not clear on how
>> > this certificate is used. Am I opening myself up to spoofing attacks by
>> > using a self-signed certificate for this?
>>
>> See
>> https://wiki.shibboleth.net/confluence/display/CONCEPT/TrustManagement
>> esp. "Inline / Explicit Key Trust Engine"
>>
>> The formal write-up of this can be found here:
>> https://wiki.oasis-open.org/security/SAML2MetadataIOP
>>
>> -peter
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180228/6e7f2996/attachment.html>
More information about the users
mailing list