Versions Compared

Old Version 1

changes.mady.by.user BJÖRN MATTSSON

Saved on

compared with

New Version Current

changes.mady.by.user BJÖRN MATTSSON

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

EJ färdig

This page describes the process of certificate rollover for Shibboleth Identity Providers. The procedure described below allows replacing certificates without any service disruptions.

Shibboleth SP 3 default installation have both an Encryption and a Signing certificate. Older installations might have one certificate used for both Encryption and Signing.

Step 0 : Create new certificate

Note

shib-keygen creates by default a 3072 bits key. To get 4096 bits you have to manually edit the file /usr/sbin/shib-keygen and replace

[req]
prompt=no
default_bits=3072
encrypt_key=no
default_md=sha256

with

[req]
prompt=no
default_bits=4096
encrypt_key=no
default_md=sha256

To generate a new keypair and self-signed certificate for the IdP, run the following commands as root user:

Code Block
languagebash
sudo -s

cd /etc/shibboleth/certs

# Save old encrytion cert
mv sp-encrypt-cert.pem sp-encrypt-cert-old.pem
mv sp-encrypt-key.pem sp-encrypt-key-old.pem

# Create new certs
# Signing will be activated later but we need it to update Metadata
shib-keygen -n sp-signing-new
# Encryption will be activated directly 
shib-keygen -n sp-encrypt-new

With the above commands a new

...

certificates and private

...

keys are generated inside the /etc/shibboleth/certs directory.

Step 1 : Add key to Shibboleth

...

Edit /etc/shibboleth/shibboleth2.xml  and add new encryption keypart for old encryption key. Needed during rollover until all IdP:s have picked up the new key. 

BeforeAfter
<CredentialResolver type="File" use="signing"
  key="certs/sp-signing-key.pem"
  certificate="certs/sp-signing-cert.pem"/>

<CredentialResolver type="File" use="encryption"
  key="certs/sp-encrypt-key.pem"
  certificate="certs/sp-encrypt-cert.pem"/>
<CredentialResolver type="File" use="signing"
  key="certs/sp-signing-key.pem"
  certificate="certs/sp-signing-cert.pem"/>

<CredentialResolver type="File" use="encryption"
  key="certs/sp-encrypt-key.pem"
  certificate="certs/sp-encrypt-cert.pem"/>

<CredentialResolver type="File" use="encryption"
  key="certs/sp-encrypt-key-old.pem"
  certificate="certs/sp-encrypt-cert-old.pem"/>

/usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml


Rearrange keys and reload configTest config and if no problems appears restart service

Code Block
languagebash
sudo -s

cd# Test config
/optusr/shibboleth-idp/credentials

# Backup old key
mv idp-encryption.crt idp-encryption-old.crt
mv idp-encryption.key idp-encryption-old.key

# Put new key in place
mv idp-encryption.crt.new idp-encryption.crt
mv idp-encryption.key.new idp-encryption.key

# The rest could be done as a normal user
exit

# To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files:
curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverServicesbin/shibd -tc /etc/shibboleth/shibboleth2.xml

service shibd restart

Now the SP supports both new and old encryption certs for incoming traffic but still uses old signing-key for signing outgoing.

Step 2 : Upload new Metadata

Warning
titlemetadata/idp-metadata.xml is NOT automaticaly updatedhttps://sp.exaple.com/Shibboleth.sso/Metadata is NOT correct

Note that the metadata is generated as a one-time operation during installation. It does not result from an in-depth analysis of the IdP configuration and does not change when the configuration changes. It's a starter example, not a real metadata source.based on the config in shibboleth2.xml as is not what we want to publish. The generated is now showing new and old encryption + old signing, we want new encryption + new and old signing. 

First we need to update our XML and replace the encryption certificate and add the new signing certificate.

Either download Download the XML from metadata.swamid.se OR edit the "original" file /opt/shibboleth-idp/idp-metadata.xml and edit

ReplaceWith
<md:KeyDescriptor use="encryption">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>Old cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>Old cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>Old cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>

...

  • Upload the XML to metadata.swamid.se/admin.
  • Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
  • Request publication.
  • Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and  48 h in eduGAIN) for all entities to pick up the new cert/key.

Step 3 : Switch signing certcert 

Run the following commands as root user:Rearrange keys and reload config

Code Block
languagebash
sudo -s

cd /optetc/shibboleth-idp/credentialscerts

# BackupSave old keysigning cert
mv idpsp-signing-cert.crtpem idpsp-signing-cert-old.crtpem
mv idpsp-signing-key.keypem idpsp-signing-key-old.keypem

# Swap Putin new keysigning in placecert
mv idpsp-signing.crt.new idp-new-cert.pem sp-signing-cert.crtpem
mv idpsp-signing.-new-key.newpem idpsp-signing-key.key

# The rest could be done as a normal user
exitpem


Test config and if no problems appears restart service

Code Block
languagebash
sudo -s

# To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files:
curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverServiceTest config
/usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml

service shibd restart

Step 4 : Upload new Metadata again

...

Step 5 : Disable / remove key from software. 

Edit Edit /optetc/shibboleth-idp/conf/credentials.xml and comment (add <!-- and --> around this block)

<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
    p:privateKeyResource="%{idp.encryption.key.2}"
    p:certificateResource="%{idp.encryption.cert.2}"
    p:entityId-ref="entityID" />

Reload the config to stop accepting encryption with the old keys.

/etc/shibboleth/shibboleth2.xml

...

shibboleth2.xml  to remove old encryption key.

BeforeAfter
<CredentialResolver type="File" use="signing"
key="certs/sp-signing-key.pem"
certificate="certs/sp-signing-cert.pem"/>

<CredentialResolver type="File" use="encryption"
key="certs/sp-encrypt-key.pem"
certificate="certs/sp-encrypt-cert.pem"/>

<CredentialResolver type="File" use="encryption"
key="certs/sp-encrypt-key-old.pem"
certificate="certs/sp-encrypt-cert-old.pem"/>
<CredentialResolver type="File" use="signing"
  key="certs/sp-signing-key.pem"
  certificate="certs/sp-signing-cert.pem"/>

<CredentialResolver type="File" use="encryption"
  key="certs/sp-encrypt-key.pem"
  certificate="certs/sp-encrypt-cert.pem"/>

...


Test config and if no problems appears restart service

Code Block
languagebash
sudo -s

# Test config
/usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml

service shibd restart

# When we are sure everyting works we can remove the old files.
cd /etc/shibboleth/certs
rm sp-signing-cert-old.pem sp-signing-key-old.pem sp-encrypt-key-old.pem sp-encrypt-cert-old.pem