IdP SSL Certificate Renewal
Garmer, Jack - garmercj
garmercj at jmu.edu
Wed Apr 17 17:20:45 EDT 2019
Please correct me if I have a fundamental misunderstanding of how certificates work on the idp side, I inherited this system and I'm still getting my bearings.
Currently, we have two servers configured with a vIP (keepalived) for high availability. itfederation.jmu.edu is the FQDN for the vIP, then the two servers are named it-federation1.jmu.edu and it-federation2.jmu.edu. We've replicated this setup in a dev environment as well. All of the above, to my knowledge, have ssl certs signed by InCommon.
Here is my confusion. We received e-mail notification that the cert for it-federation2.jmu.edu is expiring. I cannot locate the corresponding cert on the server. If I navigate to itfederation.jmu.edu in a browser, I can pull cert information for itfederation.jmu.edu. I cannot find the cooresponding certificate or key information for itfederation.jmu.edu on the file systems of either it-federation1 or it-federation2. If I navigate to either fed1 or fed2 directly via web browser, neither have valid certificates.
My question is, how are certificates for the idp stored in a HA shib installation with keepalived and jetty? Are they imported into a keystore? Are they stored in a file other than a .crt, .cer or .pem?
Linux Systems Administrator
James Madison University, IT Technical Services
w: 540-568-4235 | c: 540-290-2154
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users