Shib v3 x509 certificate

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Shib v3 x509 certificate

Ramaiah, Vanna G.

I am working on installing Idp 3 and have questions on what type of x.509 certificates to be used.

Can we have self-signed X.509 certificates(10 yr validity) for Shibboleth Idp or should that be registered (2 yr)? I am afraid that if I  roll-out 2 year validity certificate, I need to work with SPs to get the certificate changed every 2 years.

Also, what do the SPs/ Incommon usually trust in general?

 

 

 

 

 

 

 



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shib v3 x509 certificate

Tom Scavo
Hi Vanna,

On Mon, Jul 2, 2018 at 4:31 PM, Ramaiah, Vanna G. <[hidden email]> wrote:
>
> I am working on installing Idp 3 and have questions on what type of x.509
> certificates to be used.

You should probably start by reading the SecurityAndNetworking [1]
topic, especially the section on Keys and Certificates.

> Can we have self-signed X.509 certificates(10 yr validity) for Shibboleth
> Idp or should that be registered (2 yr)? I am afraid that if I  roll-out 2
> year validity certificate, I need to work with SPs to get the certificate
> changed every 2 years.

Depending on circumstances, none of that may matter.

> Also, what do the SPs/ Incommon usually trust in general?

If your IdP metadata is registered with InCommon, you should
definitely start there. Search for the topic "X.509 Certificates in
Metadata" for specific recommendations.

HTH,

Tom

[1] SecurityAndNetworking https://wiki.shibboleth.net/confluence/x/VoEOAQ
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]