Table of Contents maxLevel 2 minLevel 2
Different KeyDescriptors
The KeyDescriptor stores a certificate, BUT the only interesting part are the public-key stored inside the certificate! The private part of the key is stored on the machine responsible for the Entity,
...
- Create the key.
- Upload the new XML with both new and old cert to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
- All Entites should now have out our new Signing-key/cert. Switch in software to start signing with new key. Disable / remove old key from software.
- Request removal of old cert via metadata.swamid.se/admin .
- We are done
...
- Create the key and add it to the software to be able to decrypt incoming messages.
- Upload the new XML with the old cert (marked use=signing) and new cert without any use attribute to metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
- All encrypted messages should now come with the new key and all Entites should now have out our new Signing-key/cert. Switch in software to start signing with new key.
- Request removal of old cert via metadata.swamid.se/admin and request publication. Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to stop using the old encryption cert/key.
- Disable / remove key from software.
...
For information how the Metadata will look during each phase pleas see please look at Metadata during Key rollover
Steps in different software
- Shibboleth IdP
- Shibboleth SP
- ADFS
- SimpleSAMLphp
Gamla sidor
Sidor att plocka ifrån