Expiring IDP signing certificate

Les LaCroix llacroix at carleton.edu
Fri Jun 3 17:28:45 UTC 2022


I have an old campus SP that I wanted to start publishing via InCommon
before switching it over to using our Cirrus social login proxy.  The SP
has an expired cert.  Federation Manager said no.  I was sad.  But I got
over it.  -Les

<http://www.carleton.edu/>

*Les LaCroix '79*

Strategic Technologist

Information Technology Services

t: (507) 222-5455


On Fri, Jun 3, 2022 at 11:18 AM Wessel, Keith via users <
users at shibboleth.net> wrote:

> Shibboleth SPs won’t care if it expires. That can’t be said to be true for
> all SAML implementations and vendors.
>
>
>
> And even though nothing will break, it’s high advisable to not have an
> expired certificate published wit your InCommon metadata.
>
>
>
> Keith
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Ullfig,
> Roberto Alfredo via users
> *Sent:* Friday, June 3, 2022 11:16 AM
> *To:* Shib Users <users at shibboleth.net>
> *Cc:* Ullfig, Roberto A (UIC) <rullfig at uic.edu>
> *Subject:* Re: Expiring IDP signing certificate
>
>
>
> If you google for "replacing IDP cert incommon" you will get some hits to
> useful documentation but those sites are currently unavailable. As I
> understand it though, that certificate expiration date is entirely
> advisory, nothing should break or change when that self-signed certificate
> expires. The expiration date is merely advising that you should
> periodically replace the certificate.
>
>
>
> ---
>
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> ------------------------------
>
> *From:* users <users-bounces at shibboleth.net> on behalf of Ho, PeiQuan via
> users <users at shibboleth.net>
> *Sent:* Friday, June 3, 2022 10:51 AM
> *To:* users at shibboleth.net <users at shibboleth.net>
> *Cc:* Ho, PeiQuan <PeiQuan.Ho at tufts.edu>
> *Subject:* Expiring IDP signing certificate
>
>
>
> Hi,
>
>
>
>   Our IDP signing certificate as used in
> shibboleth.DefaultSigningCredential is expiring.  It is the 10-year
> self-signed certificate as recommended during installation.  What is the
> process to update/rollover this cert with minimal impact to SPs?
>
>
>
> Thanks,
>
> -PQ
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220603/42c03cf9/attachment.htm>


More information about the users mailing list