IdP SSL Certificate Renewal

Matt MacAdam mattjm at uw.edu
Wed Apr 17 17:57:46 EDT 2019 

> I cannot find the cooresponding certificate or key information for itfederation.jmu.edu on the file systems of either it-federation1 or it-federation2.cert and key.

The implication here is you *can* find cert/key information for the
cluster member certs (fed1, fed2) on the respective servers.  Is that
the case?

>If I navigate to either fed1 or fed2 directly via web browser, neither have valid certificates.

What is it about the certs that isn't valid?  Do you get a cert for
fedx but it's expired, or is it a cert for itfederation.jmu.edu but
you get a hostname mismatch?


-----
Matt MacAdam
Software Engineer
Service Manager (Certificate Services)
UW Information Technology
206-616-9842

On Wed, Apr 17, 2019 at 2:21 PM Garmer, Jack - garmercj
<garmercj at jmu.edu> wrote:
>
> Good Evening!
>
>
> Please correct me if I have a fundamental misunderstanding of how certificates work on the idp side, I inherited this system and I'm still getting my bearings.
>
>
> Currently, we have two servers configured with a vIP (keepalived) for high availability. itfederation.jmu.edu is the FQDN for the vIP, then the two servers are named it-federation1.jmu.edu and it-federation2.jmu.edu. We've replicated this setup in a dev environment as well. All of the above, to my knowledge, have ssl certs signed by InCommon.
>
>
> Here is my confusion. We received e-mail notification that the cert for it-federation2.jmu.edu is expiring. I cannot locate the corresponding cert on the server. If I navigate to itfederation.jmu.edu in a browser, I can pull cert information for itfederation.jmu.edu. I cannot find the cooresponding certificate or key information for itfederation.jmu.edu on the file systems of either it-federation1 or it-federation2. If I navigate to either fed1 or fed2 directly via web browser, neither have valid certificates.
>
>
> My question is, how are certificates for the idp stored in a HA shib installation with keepalived and jetty? Are they imported into a keystore? Are they stored in a file other than a .crt, .cer or .pem?
>
>
> Thank you!
>
>
> --
>
> Jack Garmer
>
> Linux Systems Administrator
>
> James Madison University, IT Technical Services
>
>
> w: 540-568-4235 | c: 540-290-2154
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list