IDP 3.4.3 Expiring Signing Certtificate Rollover
Rich Thomas
rcthomas at utmb.edu
Tue Feb 4 18:33:23 EST 2020
Need to rollover IDP signing cert. Was carry over from IDP V2.
1. Added new signing cert/key pair to idp.properties and defined expiring
certs associated with .2
idp.signing.key= %{idp.home}/credentials/idp-signing.key
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
idp.signing.key.2 = %{idp.home}/credentials/idp-signing-old.key
idp.signing.cert.2 = %{idp.home}/credentials/idp-signing-old.crt
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
2. Added Cert to IDP metadata
3. Defined additional cert and key in credentials.xml following example for
the encryption key rollover defined in the file
<alias alias="shibboleth.SigningCredentials"
name="shibboleth.DefaultSigningCredential" />
<util:list id="shibboleth.DefaultSigningCredential">
<bean
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key}"
p:certificateResource="%{idp.signing.cert}"
p:entityId-ref="entityID" />
<bean
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key.2}"
p:certificateResource="%{idp.signing.cert.2}"
p:entityId-ref="entityID" />
</util:list>
I have verified that old and new signing cert works but only one at a time
depending on which bean is not commented out or which bean is first within
util:list in credentials.xml
Not seeing any errors in logs. IDP authentication is working.
Haven't found other documentation.
--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users
mailing list