IdP SSL Certificate Renewal

Garmer, Jack - garmercj garmercj at jmu.edu
Wed Apr 17 17:20:45 EDT 2019


Good Evening!


Please correct me if I have a fundamental misunderstanding of how certificates work on the idp side, I inherited this system and I'm still getting my bearings.


Currently, we have two servers configured with a vIP (keepalived) for high availability. itfederation.jmu.edu is the FQDN for the vIP, then the two servers are named it-federation1.jmu.edu and it-federation2.jmu.edu. We've replicated this setup in a dev environment as well. All of the above, to my knowledge, have ssl certs signed by InCommon.


Here is my confusion. We received e-mail notification that the cert for it-federation2.jmu.edu is expiring. I cannot locate the corresponding cert on the server. If I navigate to itfederation.jmu.edu in a browser, I can pull cert information for itfederation.jmu.edu. I cannot find the cooresponding certificate or key information for itfederation.jmu.edu on the file systems of either it-federation1 or it-federation2. If I navigate to either fed1 or fed2 directly via web browser, neither have valid certificates.


My question is, how are certificates for the idp stored in a HA shib installation with keepalived and jetty? Are they imported into a keystore? Are they stored in a file other than a .crt, .cer or .pem?


Thank you!


--

Jack Garmer

Linux Systems Administrator

James Madison University, IT Technical Services


w: 540-568-4235 | c: 540-290-2154
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190417/0fce646e/attachment.html>


More information about the users mailing list