IdP Certificate Validity checking

Mark Cairney Mark.Cairney at
Thu Dec 3 15:19:20 UTC 2020


That's what I thought was the case but thought it best to check first.

For info the appropriate paragraph from the standard is:


In the case of an X.509 certificate, there are no requirements as to the 
content of the certificate apart from the requirement that it contain 
the appropriate public key. Specifically, the certificate may be 
expired, not yet valid, carry critical or non-critical extensions or 
usage flags, and contain any subject or issuer. The use of the 
certificate structure is merely a matter of notational convenience to 
communicate a key and has no semantics in this profile apart from that. 
However, it is RECOMMENDED that certificates be unexpired.


I'll feed this back but also point out that other IdP implementations 
may behave differently.

Kind regards,


On 03/12/2020 14:16, Cantor, Scott wrote:
>> Does the IdP do any validity checking of certificates or does it simply ignore the
>> expiry data?
> No. What we do is exactly what's defined in the standard.
> Unless you only care about Shibboleth IdPs, that's not going to matter much.
> -- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <>

More information about the users mailing list