Renewing idp 3.4.3 SSL cert

James Hamilton James.Hamilton at
Tue Aug 18 20:10:54 UTC 2020

Thanks for the info Scott.

Best, James

-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Tuesday, August 18, 2020 2:02 PM
To: Shib Users <users at>
Subject: Re: Renewing idp 3.4.3 SSL cert

The IdP is a web application. Like any web application, the use of TLS has nothing to do with the application itself, it's a web server issue. The IdP itself has no "SSL cert" internally. There should never be any use of that certificate in metadata or in any SAML interactions, as it is too short-lived (soon to be even more short-lived).

I don't really know anything about the configuration of the "pretend you can operate the IdP and not run your own container" variant we built mostly from demand in the UK. If that has its own docs for how to configure what little is exposed, it would be in the wiki, but I don't really know where.

As for Jetty generically, it supports multiple formats for key material. I use PKCS12 personally and that's becoming the standard Java keystore format. I use OpenSSL to manipulate the files personally, though I think it's possible to screw around with keytool now too (and also possible to use various Java-based keystore manager GUIs).

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list