Versions Compared

Old Version 9

changes.mady.by.user Björn Mattsson

Saved on

compared with

New Version 10

changes.mady.by.user Björn Mattsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2

Different KeyDescriptors

The KeyDescriptor stores a certificate, BUT the only interesting part are the public-key stored inside the certificate! The private part of the key is stored on the machine responsible for the Entity,

...

Doing Key rollover

Rolling encryption key

Image Modified

  1. Create the key and add it to the software to be able to decrypt incoming messages.
  2. Upload the new XML with the new cert to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and  48 h in eduGAIN) for all entities to pick up the new cert/key. 
  3. All encrypted messages should now come with the new key. Skip to 5
  4. Skip to 5
  5. Disable / remove key from software. 

Rolling signing key

Image Modified

  1. Create the key.
  2. Upload the new XML with both new and old cert to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and  48 h in eduGAIN) for all entities to pick up the new cert/key.
  3. All Entites should now have out new Signing-key/cert. Switch in software to start signing with new key. Disable / remove old key from software.
  4. Request removal of old cert via metadata.swamid.se/admin .
  5. We are done

Rolling combined encryption/signing key

Image Modified

  1. Create the key and add it to the software to be able to decrypt incoming messages.
  2. Upload the new XML with the old cert (marked use=signing) and new cert without any use attribute to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and  48 h in eduGAIN) for all entities to pick up the new cert/key. 
  3. All encrypted messages should now come with the new key and all Entites should now have out new Signing-key/cert. Switch in software to start signing with new key. 
  4. Request removal of old cert via metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and  48 h in eduGAIN) for all entities to stop using the old encryption cert/key. 
  5. Disable / remove key from software. 

Metadata during Key rollover

For information how the Metadata will look during each phase pleas see Metadata during Key rollover

Steps in different software

  • Shibboleth IdP
  • Shibboleth SP
  • ADFS
  • SimpleSAMLphp





Gamla sidor 

...