0

I am trying to upgrade the browser-facing certificate on the Shibboleth Service Provider (sp). The existing setup has a single certificate both in the shibboleth2.xml and in the sp-metadata.xml. Snippets from the implementation is something as follows:

shibboleth2.xml:

<CredentialResolver type="Chaining">
   <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</CredentialResolver>

sp-metadata.xml:

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>sp.com</ds:KeyName>
        <ds:X509Data>
            <ds:X509SubjectName>CN=sp.com,C=US</ds:X509SubjectName>
        <ds:X509Certificate>ABCxyz
                    az1234
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>

The file sp-cert.pem mentioned in shibboleth2.xml is something as follows:

-----BEGIN CERTIFICATE-----
ABCxyz
az1234
-----END CERTIFICATE-----

Now I have generated a new certificate which includes a domain certificate (sp-cert-dom.pem) for sp.com and an intermediate certificate (sp-cert-int.pem), something as follows:

sp-cert-dom.pem

-----BEGIN CERTIFICATE-----
abcdef
123456
-----END CERTIFICATE-----

sp-cert-int.pem

-----BEGIN CERTIFICATE-----
UVWXYZ
xa9900
-----END CERTIFICATE-----

I have combined both the certificates into a single file (sp-cert1.pem) as follows:

-----BEGIN CERTIFICATE-----
abcdef
123456
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
UVWXYZ
xa9900
-----END CERTIFICATE-----

Then I have updated shibboleth2.xml (after notifying all the stakeholders about the change) to point to the new certificate:

<CredentialResolver type="Chaining">
   <CredentialResolver type="File" key="sp-key1.pem" certificate="sp-cert1.pem"/>
</CredentialResolver>

However I am stuck trying to figure out how to update the sp-metadata.xml with the new certificate. Now I have the following questions:

1. Do I really have to provide both domain and intermediate certificate details or the domain certificate should be enough ?

2. If the answer is "both", how should my sp-metadata.xml look like among the following options ?

(a) Multiple ds:X509Certificate elements for the same ds:KeyInfo element.

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>sp.com</ds:KeyName>
        <ds:X509Data>
            <ds:X509SubjectName>CN=sp.com,C=US</ds:X509SubjectName>
        <ds:X509Certificate>abcdef
                    123456
        </ds:X509Certificate>
        <ds:X509Certificate>UVWXYZ
                    xa9900
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>

(b) Multiple ds:KeyInfo elements.

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>sp.com</ds:KeyName>
        <ds:X509Data>
            <ds:X509SubjectName>CN=sp.com,C=US</ds:X509SubjectName>
        <ds:X509Certificate>abcdef
                    123456
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>Symantec Class 3 Secure Server CA - G4</ds:KeyName>
        <ds:X509Data>
            <ds:X509SubjectName>CN=sp.com,C=US</ds:X509SubjectName>
        <ds:X509Certificate>UVWXYZ
                    xa9900
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>

Thanks in advance.

PS: I did take a look into Validating a signature without intermediate certificate but did not get a clear answer to my question.

Community
  • 1
  • 1
POJO
  • 41
  • 2
  • 8

1 Answers1

0

The SP does not care about the browser facing certificate. The browser facing certificate (and key) are managed via Apache httpd[1] or IIS [2]. The key and cert used by the Shibboleth SP software is usually self-signed as it is really only used as a vehicle for storing the public key, hence it is usually a 10-20 year cert.

[1] https://httpd.apache.org/docs/2.4/ssl/
[2] https://technet.microsoft.com/en-us/library/cc732230(v=ws.10).aspx

John Gasper
  • 672
  • 4
  • 12