Shibboleth SPv3: checking how to rollover the signing key
Peter Schober
peter.schober at univie.ac.at
Fri Mar 13 08:48:27 EDT 2020
* Gernot Hassenpflug <gernot.hassenpflug at asahinet.com> [2020-03-13 12:32]:
> This is the first time for us to try and rollover a signing key, as
> opposed to an encryption key.
Unless you have specific requirements in your authentication requests
that must remain intact signing those probably doesn't buy you
anything. Are you even signing those?
And if you're not currently signing your authn requests the only thing
left so sign for the SP is SLO messages. Do you even support SLO in
your SP?
There are a few resources available that explain the concepts in
different terms (which you could find by searching for those), maybe
those are more helpful?
https://spaces.at.internet2.edu/display/InCFederation/Key+Rollover
But for signing it should be rather simple: If your SP signs anything
the recipient of that messag must already have the public key in order
to verify the signature. So first publish a new cert with use=signing,
wait for propagation (or propagate manually, if required), then switch
the software from signing with the old key to signing with the new
key. Done. (Cleanup later by removing the old key from metadata.)
-peter
More information about the users
mailing list