Certificate Rollover for the Shibboleth Serviceprovider
Please note
On this page, you will learn how to perform a certificate rollover with the Shibboleth service provider. This has the advantage that there is no downtime when you swap certificates.
This requires that you operate a Shibboleth service provider with the official packages from the Shibboleth Consortium (see Installation).
Step 1
To do this, first request a certificate from the DFN-Verein Community PKI. Once you have received it, edit the CredentialResolver in the file /etc/shibboleth/shibboleth2.xml as follows:
<!-- |
Please note that the permissions for the certificate/key pair must be correct. The Shibboleth service provider usually runs under the user and group shibd.
Step 2
After making the change, check the configuration using “shibd -t.” No errors should occur.
Step 3
Next, restart the service using “systemctl restart shibd”. Now both the old and new certificates are active.
Step 4
Add the new certificate in the Service Provider Manager.
Step 5
Inform us of the upcoming certificate change by sending an email to servicedesk@itc.rwth-aachen.de.
The metadata with the new, additional certificate will then be updated shortly and the status in the Service Provider Manager will change from “requested” to “productive.” From this point on, both certificates will be valid.
Step 6
Once the status has changed in Service Provider Manager or you have been notified of the switch by email, you can swap the order again. This time, the new certificate comes first and the old certificate second:
<!-- |
Step 7
Check again that everything is OK using “shibd -t”.
Step 8
Restart the service using “systemctl restart shibd”.
Step 9
Remove the old certificate completely in the Service Provider Manager.
Step 10
Inform us by sending an email to servicedesk@itc.rwth-aachen.de so that the metadata can be adjusted.
Step 11
Once the change is complete, you can remove the old certificate from shibboleth2.xml.
