Shib v3 x509 certificate

Tom Scavo trscavo at
Mon Jul 2 16:47:00 EDT 2018

Hi Vanna,

On Mon, Jul 2, 2018 at 4:31 PM, Ramaiah, Vanna G. <ramaiah at> wrote:
> I am working on installing Idp 3 and have questions on what type of x.509
> certificates to be used.

You should probably start by reading the SecurityAndNetworking [1]
topic, especially the section on Keys and Certificates.

> Can we have self-signed X.509 certificates(10 yr validity) for Shibboleth
> Idp or should that be registered (2 yr)? I am afraid that if I  roll-out 2
> year validity certificate, I need to work with SPs to get the certificate
> changed every 2 years.

Depending on circumstances, none of that may matter.

> Also, what do the SPs/ Incommon usually trust in general?

If your IdP metadata is registered with InCommon, you should
definitely start there. Search for the topic "X.509 Certificates in
Metadata" for specific recommendations.



[1] SecurityAndNetworking

More information about the users mailing list