...
| Replace | With |
|---|---|
<md:KeyDescriptor use="encryption"> | <md:KeyDescriptor use="encryption"> |
- Upload the XML to metadata.swamid.se/admin.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
- Request publication.
- Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
Step 3 : Switch signing cert cert
Rearrange keys and reload config
| Code Block | ||
|---|---|---|
| ||
sudo -s
cd /opt/shibboleth-idp/credentials
# Backup old key
mv idp-signing.crt idp-signing-old.crt
mv idp-signing.key idp-signing-old.key
# Put new key in place
mv idp-signing.crt.new idp-signing.crt
mv idp-signing.key.new idp-signing.key
# The rest could be done as a normal user
exit
# To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files:
curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverService |
Step 4 : Upload new Metadata again
Now we need update our XML and remove the old signing certificate.
| Replace | With |
|---|---|
<md:KeyDescriptor use="encryption"> | <md:KeyDescriptor use="encryption"> |
- Upload the XML to metadata.swamid.se/admin.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
- Request publication.
...
Step 5 : Disable / remove key from software.
Edit /opt/shibboleth-idp/conf/credentials.xml and comment (add <!-- and --> around this block)
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key.2}"
p:certificateResource="%{idp.encryption.cert.2}"
p:entityId-ref="entityID" />
Reload the config to stop accepting encryption with the old keys.