Table of Contents maxLevel 2
maxLevel | 2 |
---|
Different KeyDescriptors
The KeyDescriptor stores a certificate, BUT the only interesting part are the public-key stored inside the certificate! The private part of the key is stored on the machine responsible for the Entity,
...
Doing Key rollover
Rolling encryption key
- Create the key and add it to the software to be able to decrypt incoming messages.
- Upload the new XML with the new cert to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
- All encrypted messages should now come with the new key. Skip to 5
- Skip to 5
- Disable / remove key from software.
Rolling signing key
- Create the key.
- Upload the new XML with both new and old cert to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
- All Entites should now have out new Signing-key/cert. Switch in software to start signing with new key. Disable / remove old key from software.
- Request removal of old cert via metadata.swamid.se/admin .
- We are done
Rolling combined encryption/signing key
- Create the key and add it to the software to be able to decrypt incoming messages.
- Upload the new XML with the old cert (marked use=signing) and new cert without any use attribute to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
- All encrypted messages should now come with the new key and all Entites should now have out new Signing-key/cert. Switch in software to start signing with new key.
- Request removal of old cert via metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to stop using the old encryption cert/key.
- Disable / remove key from software.
Metadata during Key rollover
For information how the Metadata will look during each phase pleas see Metadata during Key rollover
Steps in different software
- Shibboleth IdP
- Shibboleth SP
- ADFS
- SimpleSAMLphp
Gamla sidor
...