You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

EJ färdig


This page describes the process of certificate rollover for Shibboleth Identity Providers. The procedure described below allows replacing certificates without any service disruptions.

Shibboleth SP 3 default installation have both an Encryption and a Signing certificate.

Step 0 : Create new certificate

To generate a new keypair and self-signed certificate for the IdP, run the following commands as root user:

sudo -s

cd /etc/shibboleth

shib-keygen -n sp-signing-new
shib-keygen -n sp-encrypt-new

With the above commands a new certificate and private key are generated inside the /etc/shibboleth/ directory.

Step 1 : Add key to Shibboleth


Edit /etc/shibboleth/shibboleth2.xml  and add new encryption key

BeforeAfter
<CredentialResolver type="File" use="signing"
  key="certs/sp-signing-key.pem"
  certificate="certs/sp-signing-cert.pem"/>

<CredentialResolver type="File" use="encryption"
  key="certs/sp-encrypt-key.pem"
  certificate="certs/sp-encrypt-cert.pem"/>
<CredentialResolver type="File" use="signing"
  key="certs/sp-signing-key.pem"
  certificate="certs/sp-signing-cert.pem"/>

<CredentialResolver type="File" use="encryption"
  key="certs/sp-encrypt-key.pem"
  certificate="certs/sp-encrypt-cert.pem"/>

<CredentialResolver type="File" use="encryption"
  key="certs/sp-encrypt-key-old.pem"
  certificate="certs/sp-encrypt-cert-old.pem"/>


/usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml

Rearrange keys and reload config

sudo -s

cd /opt/shibboleth-idp/credentials

# Backup old key
mv idp-encryption.crt idp-encryption-old.crt
mv idp-encryption.key idp-encryption-old.key

# Put new key in place
mv idp-encryption.crt.new idp-encryption.crt
mv idp-encryption.key.new idp-encryption.key

# The rest could be done as a normal user
exit

# To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files:
curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverService

Step 2 : Upload new Metadata

metadata/idp-metadata.xml is NOT automaticaly updated

Note that the metadata is generated as a one-time operation during installation. It does not result from an in-depth analysis of the IdP configuration and does not change when the configuration changes. It's a starter example, not a real metadata source.

First we need to update our XML and replace the encryption certificate and add the new signing certificate.

Either download the XML from metadata.swamid.se OR edit the "original" file /opt/shibboleth-idp/idp-metadata.xml

ReplaceWith
<md:KeyDescriptor use="encryption">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>Old cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>Old cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>Old cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>


  • Upload the XML to metadata.swamid.se/admin.
  • Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
  • Request publication.
  • Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and  48 h in eduGAIN) for all entities to pick up the new cert/key.

Step 3 : Switch signing cert

Rearrange keys and reload config

sudo -s

cd /opt/shibboleth-idp/credentials

# Backup old key
mv idp-signing.crt idp-signing-old.crt
mv idp-signing.key idp-signing-old.key

# Put new key in place
mv idp-signing.crt.new idp-signing.crt
mv idp-signing.key.new idp-signing.key

# The rest could be done as a normal user
exit

# To trigger the IdP to start using the changed credentials, reload the RelyingParty service that also reloads the conf/credentials.xml file and its referenced credential files:
curl -k https://127.0.0.1/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverService

Step 4 : Upload new Metadata again

Now we need update our XML and remove the old signing certificate.

ReplaceWith
<md:KeyDescriptor use="encryption">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>Old cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>New cert</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>


  • Upload the XML to metadata.swamid.se/admin.
  • Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity if not already in the XML-file.
  • Request publication.

Step 5 : Disable / remove key from software. 

Edit /opt/shibboleth-idp/conf/credentials.xml and comment (add <!-- and --> around this block)

<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
    p:privateKeyResource="%{idp.encryption.key.2}"
    p:certificateResource="%{idp.encryption.cert.2}"
    p:entityId-ref="entityID" />

Reload the config to stop accepting encryption with the old keys.







/etc/shibboleth/shibboleth2.xml

<CredentialResolver type="File" use="signing" key="certs/sp-signing-key.pem" certificate="certs/sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption" key="certs/sp-encrypt-key.pem" certificate="certs/sp-encrypt-cert.pem"/>


certs/sp-encrypt-cert.pem certs/sp-encrypt-key.pem certs/sp-signing-cert.pem certs/sp-signing-key.pem

  • No labels