Certificate Rollover for the Shibboleth Serviceprovider
If you are operating a Shibboleth service provider with official packages from the Shibboleth Consortium (see Installation), you can perform a so-called "certificate rollover" while changing certificates. This has the advantage of not resulting in any downtime when you want to swap certificates.
To perform a certificate rollover, you must first apply for a new server certificate as normal. Once you have received the certificate, you must add it in the /etc/shibboleth/shibboleth2.xml file as follows:
CredentialResolver type="File"key="sp.key" certificate="sp.crt"/> <!-- enter new certificate here--> <CredentialResolver type="File"key="sp_new.key" certificate="sp_new.crt"/> |
- Check whether the service continues to function with this configuration:
shibd -t
- RHEL based systems (centOS, Rocky Linux etc.) require the LD_LIBRARY_PATH to be expanded:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth/lib64/
- Then restart the Shibboleth service:
systemctl restart shibd
- Now contact the IT-ServiceDesk by email to servicedesk@itc.rwth-aachen.de and inform the IT Center about the pending change of certificates.
- After 2-3 days, you can change the order in the /etc/shibboleth/shibboleth2.xml file. Restart the Shibboleth service:
systemctl restart shibd
- After a further 2-3 days, you can completely remove the old certificate. After doing this, you will need to restart Shibboleth again. Optionally, you can now send an additional email to servicedesk@itc.rwth-aachen.de to inform the IT Center that the change of certificates has been completed.
