You are located in service: Identity Management

Certificate Rollover for the Shibboleth Serviceprovider

Certificate Rollover for the Shibboleth Serviceprovider

Kurzinformation

If you are operating a Shibboleth service provider with official packages from the Shibboleth Consortium (see Installation), you can perform a so-called "certificate rollover" while changing certificates. This has the advantage of not resulting in any downtime when you want to swap certificates.

 

Detailinformation

To perform a certificate rollover, you must first apply for a new server certificate as normal. Once you have received the certificate, you must add it in the /etc/shibboleth/shibboleth2.xml file as follows:

CredentialResolver type="File"key="sp.key" certificate="sp.crt"/>

<!-- enter new certificate here-->

<CredentialResolver type="File"key="sp_new.key" certificate="sp_new.crt"/>

 
  • Check whether the service continues to function with this configuration:

    shibd -t

  • RHEL based systems (centOS, Rocky Linux etc.) require the LD_LIBRARY_PATH to be expanded:
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth/lib64/
  • Then restart the Shibboleth service:
    systemctl restart shibd
  • Now contact the IT-ServiceDesk by email to servicedesk@itc.rwth-aachen.de and inform the IT Center about the pending change of certificates.
  • After 2-3 days, you can change the order in the /etc/shibboleth/shibboleth2.xml file. Restart the Shibboleth service:
    systemctl restart shibd
  • After a further 2-3 days, you can completely remove the old certificate. After doing this, you will need to restart Shibboleth again. Optionally, you can now send an additional email to servicedesk@itc.rwth-aachen.de to inform the IT Center that the change of certificates has been completed.

last changed on 09/06/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License