Warning |
---|
|
This page describes the process of certificate rollover for Shibboleth Identity Providers. The procedure described below allows replacing certificates without any service disruptions.
Shibboleth SP 3 default installation have both an Encryption and a Signing certificate. Older installations might have one certificate used for both Encryption and Signing.
Step 0 : Create new certificate
Note |
---|
shib-keygen creates by default a 3072 bits key. To get 4096 bits you have to manually edit the file [req] with [req] |
To generate a new keypair and self-signed certificate for the IdP, run the following commands as root user:
Code Block | ||
---|---|---|
| ||
sudo -s cd /etc/shibboleth/certs # Save old encrytion cert mv sp-encrypt-cert.pem sp-encrypt-cert-old.pem mv sp-encrypt-key.pem sp-encrypt-key-old.pem # Create new certs # Signing will be activated later but we need it to update Metadata shib-keygen -n sp-signing-new # Encryption will be activated directly shib-keygen -n sp-encrypt-new |
With the above commands a new
...
certificates and private
...
keys are generated inside the /etc/shibboleth/certs
directory.
Step 1 : Add key to Shibboleth
...
Edit /etc/shibboleth/shibboleth2.xml
and add new encryption keypart for old encryption key. Needed during rollover until all IdP:s have picked up the new key.
Before | After |
---|---|
<CredentialResolver type="File" use="signing" | <CredentialResolver type="File" use="signing" |
/usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml
Rearrange keys and reload configTest config and if no problems appears restart service
Code Block | ||
---|---|---|
| ||
sudo -s cd# Test config /optusr/shibboleth-idp/credentials # Backup old key mv idp-encryption.crt idp-encryption-old.crt mv idp-encryption.key idp-encryption-old.key # Put new key in place mv idp-encryption.crt.new idp-encryption.crt mv idp-encryption.key.new idp-encryption.key # The rest could be done as a normal user exit # To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files: curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverServicesbin/shibd -tc /etc/shibboleth/shibboleth2.xml service shibd restart |
Now the SP supports both new and old encryption certs for incoming traffic but still uses old signing-key for signing outgoing.
Step 2 : Upload new Metadata
Warning | ||
---|---|---|
| ||
Note that the metadata is generated as a one-time operation during installation. It does not result from an in-depth analysis of the IdP configuration and does not change when the configuration changes. It's a starter example, not a real metadata source.based on the config in shibboleth2.xml as is not what we want to publish. The generated is now showing new and old encryption + old signing, we want new encryption + new and old signing. |
First we need to update our XML and replace the encryption certificate and add the new signing certificate.
Either download Download the XML from metadata.swamid.se OR edit the "original" file /opt/shibboleth-idp/idp-metadata.xml and edit
Replace | With |
---|---|
<md:KeyDescriptor use="encryption"> | <md:KeyDescriptor use="encryption"> |
...
- Upload the XML to metadata.swamid.se/admin.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
- Request publication.
- Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
Step 3 : Switch signing certcert
Run the following commands as root user:Rearrange keys and reload config
Code Block | ||
---|---|---|
| ||
sudo -s cd /optetc/shibboleth-idp/credentialscerts # BackupSave old keysigning cert mv idpsp-signing-cert.crtpem idpsp-signing-cert-old.crtpem mv idpsp-signing-key.keypem idpsp-signing-key-old.keypem # Swap Putin new keysigning in placecert mv idpsp-signing.crt.new idp-new-cert.pem sp-signing-cert.crtpem mv idpsp-signing.-new-key.newpem idpsp-signing-key.key # The rest could be done as a normal user exitpem |
Test config and if no problems appears restart service
Code Block | ||
---|---|---|
| ||
sudo -s # To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files: curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverServiceTest config /usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml service shibd restart |
Step 4 : Upload new Metadata again
...
Step 5 : Disable / remove key from software.
Edit Edit /
optetc/shibboleth
-idp/
conf/credentials.xml and comment (add <!-- and --> around this block)
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key.2}"
p:certificateResource="%{idp.encryption.cert.2}"
p:entityId-ref="entityID" />
Reload the config to stop accepting encryption with the old keys.
/etc/shibboleth/shibboleth2.xml
...
shibboleth2.xml
to remove old encryption key.
Before | After |
---|---|
<CredentialResolver type="File" use="signing" | <CredentialResolver type="File" use="signing" |
...
Test config and if no problems appears restart service
Code Block | ||
---|---|---|
| ||
sudo -s # Test config /usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml service shibd restart # When we are sure everyting works we can remove the old files. cd /etc/shibboleth/certs rm sp-signing-cert-old.pem sp-signing-key-old.pem sp-encrypt-key-old.pem sp-encrypt-cert-old.pem |