No certificate in Shibboleth SP metadata

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

No certificate in Shibboleth SP metadata

Hong Ye

Hello,

 

In shibboleth2.xml, CredentialResolver is defined and sp-key.pem and sp-cert.pem are in the same directory as shibboleth2.xml

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

 

When I accessed the SP metadata from https://mydomain/Shibboleth.sso/Metadata, I don’t see a certificate for encryption defined in the metadata. Do I miss anything in my config?

 

Thanks,

Hong


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: No certificate in Shibboleth SP metadata

Hall, Gerry

Make sure the sp-cert.pem and the sp-key.pem are owned/readable by shibd.

 

_______

 

From: users <[hidden email]> on behalf of Hong Ye <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Wednesday, May 30, 2018 at 10:57 AM
To: Shib Users <[hidden email]>
Subject: No certificate in Shibboleth SP metadata

 

Hello,

 

In shibboleth2.xml, CredentialResolver is defined and sp-key.pem and sp-cert.pem are in the same directory as shibboleth2.xml

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

 

When I accessed the SP metadata from https://mydomain/Shibboleth.sso/Metadata, I don’t see a certificate for encryption defined in the metadata. Do I miss anything in my config?

 

Thanks,

Hong




This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: No certificate in Shibboleth SP metadata

Hong Ye

Garry,

 

Thanks for the reply. They are owned by shibd and there is no error in shib log.

 

-rw------- 1 shibadm shibadm  1834 May 30 10:45 sp-key.pem

-rw-r--r-- 1 shibadm shibadm  1375 May 30 10:45 sp-cert.pem

 

shibadm   5001     1  0 11:18 ?        00:00:00 /usr/sbin/shibd -p /var/run/shibboleth/shibd.pid -f -w 30

 

Hong

 

From: "Hall, Gerry" <[hidden email]>
Date: Wednesday, May 30, 2018 at 11:05 AM
To: Shib Users <[hidden email]>
Cc: Hong Ye <[hidden email]>
Subject: Re: No certificate in Shibboleth SP metadata

 

Make sure the sp-cert.pem and the sp-key.pem are owned/readable by shibd.

 

_______

 

From: users <[hidden email]> on behalf of Hong Ye <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Wednesday, May 30, 2018 at 10:57 AM
To: Shib Users <[hidden email]>
Subject: No certificate in Shibboleth SP metadata

 

Hello,

 

In shibboleth2.xml, CredentialResolver is defined and sp-key.pem and sp-cert.pem are in the same directory as shibboleth2.xml

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

 

When I accessed the SP metadata from https://mydomain/Shibboleth.sso/Metadata, I don’t see a certificate for encryption defined in the metadata. Do I miss anything in my config?

 

Thanks,

Hong

 



This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: No certificate in Shibboleth SP metadata

Hong Ye

Found the problem. It was because the private key file has passphrase.

 

Hong

 

From: users <[hidden email]> on behalf of Hong Ye <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Wednesday, May 30, 2018 at 11:26 AM
To: "Hall, Gerry" <[hidden email]>, Shib Users <[hidden email]>
Subject: Re: No certificate in Shibboleth SP metadata

 

Garry,

 

Thanks for the reply. They are owned by shibd and there is no error in shib log.

 

-rw------- 1 shibadm shibadm  1834 May 30 10:45 sp-key.pem

-rw-r--r-- 1 shibadm shibadm  1375 May 30 10:45 sp-cert.pem

 

shibadm   5001     1  0 11:18 ?        00:00:00 /usr/sbin/shibd -p /var/run/shibboleth/shibd.pid -f -w 30

 

Hong

 

From: "Hall, Gerry" <[hidden email]>
Date: Wednesday, May 30, 2018 at 11:05 AM
To: Shib Users <[hidden email]>
Cc: Hong Ye <[hidden email]>
Subject: Re: No certificate in Shibboleth SP metadata

 

Make sure the sp-cert.pem and the sp-key.pem are owned/readable by shibd.

 

_______

 

From: users <[hidden email]> on behalf of Hong Ye <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Wednesday, May 30, 2018 at 10:57 AM
To: Shib Users <[hidden email]>
Subject: No certificate in Shibboleth SP metadata

 

Hello,

 

In shibboleth2.xml, CredentialResolver is defined and sp-key.pem and sp-cert.pem are in the same directory as shibboleth2.xml

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

 

When I accessed the SP metadata from https://mydomain/Shibboleth.sso/Metadata, I don’t see a certificate for encryption defined in the metadata. Do I miss anything in my config?

 

Thanks,

Hong

 



This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]