EJ färdig
This page describes the process of certificate rollover for Shibboleth Identity Providers. The procedure described below allows replacing certificates without any service disruptions.
Shibboleth SP 3 default installation have both an Encryption and a Signing certificate.
Step 0 : Create new certificate
To generate a new keypair and self-signed certificate for the IdP, run the following commands as root user:
sudo -s cd /etc/shibboleth shib-keygen -n sp-signing-new shib-keygen -n sp-encrypt-new
With the above commands a new certificate and private key are generated inside the /etc/shibboleth/
directory.
Step 1 : Add key to Shibboleth
Edit /etc/shibboleth/shibboleth2.xml
and add new encryption key
Before | After |
---|---|
<CredentialResolver type="File" use="signing" | <CredentialResolver type="File" use="signing" |
/usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml
Rearrange keys and reload config
sudo -s cd /opt/shibboleth-idp/credentials # Backup old key mv idp-encryption.crt idp-encryption-old.crt mv idp-encryption.key idp-encryption-old.key # Put new key in place mv idp-encryption.crt.new idp-encryption.crt mv idp-encryption.key.new idp-encryption.key # The rest could be done as a normal user exit # To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files: curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverService
Step 2 : Upload new Metadata
metadata/idp-metadata.xml is NOT automaticaly updated
Note that the metadata is generated as a one-time operation during installation. It does not result from an in-depth analysis of the IdP configuration and does not change when the configuration changes. It's a starter example, not a real metadata source.
First we need to update our XML and replace the encryption certificate and add the new signing certificate.
Either download the XML from metadata.swamid.se OR edit the "original" file /opt/shibboleth-idp/idp-metadata.xml
Replace | With |
---|---|
<md:KeyDescriptor use="encryption"> | <md:KeyDescriptor use="encryption"> |
- Upload the XML to metadata.swamid.se/admin.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
- Request publication.
- Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
Step 3 : Switch signing cert
Rearrange keys and reload config
sudo -s cd /opt/shibboleth-idp/credentials # Backup old key mv idp-signing.crt idp-signing-old.crt mv idp-signing.key idp-signing-old.key # Put new key in place mv idp-signing.crt.new idp-signing.crt mv idp-signing.key.new idp-signing.key # The rest could be done as a normal user exit # To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files: curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverService
Step 4 : Upload new Metadata again
Now we need update our XML and remove the old signing certificate.
Replace | With |
---|---|
<md:KeyDescriptor use="encryption"> | <md:KeyDescriptor use="encryption"> |
- Upload the XML to metadata.swamid.se/admin.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
- Request publication.
Step 5 : Disable / remove key from software.
Edit /opt/shibboleth-idp/conf/credentials.xml and comment (add <!-- and --> around this block)
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key.2}"
p:certificateResource="%{idp.encryption.cert.2}"
p:entityId-ref="entityID" />
Reload the config to stop accepting encryption with the old keys.
/etc/shibboleth/shibboleth2.xml
<CredentialResolver type="File" use="signing" key="certs/sp-signing-key.pem" certificate="certs/sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption" key="certs/sp-encrypt-key.pem" certificate="certs/sp-encrypt-cert.pem"/>
certs/sp-encrypt-cert.pem certs/sp-encrypt-key.pem certs/sp-signing-cert.pem certs/sp-signing-key.pem