InCommon Operations Notifications

[John Krienke <>]

Important Certificate Interoperability Information:

Old InCommon CA-rooted certificates are now starting to expire. This is causing 
problems for a small set of IdPs that are still relying on Apache mod_ssl for 
PKI-based certificate validation. Expiring certificates are not a problem for 
most as key management is no longer based on checking against the InCommon root 
but is based on each entity's key as published in the federation metadata.

We planned the Certificate transition carefully last year and stopped issuing 
InCommon CA-rooted certs in January of this year.

See: 
https://spaces.internet2.edu/display/InCCollaborate/X.509+Certificates+in+Metadata

SPs: Issue your system a *Self-signed cert*. Plan certificate migration. The 
guidance on this is here:
https://spaces.internet2.edu/display/SHIB2/NativeSPMultipleCredentials

IdPs: Make sure you are downloading the metadata *at least daily.* If you don't, 
your production system may at times NOT be able to interoperate with your partners.
http://www.incommonfederation.org/metadata.html

IdPs: If you rely on Apache in your IdP deployment, ensure that mod_ssl is not 
validating client certificates on port 8443 (or whatever port you rely on for 
SOAP requests) by using the "SSLVerifyClient optional_no_ca" setting. Failure to 
do this will result in frequent failures that cannot be fixed other than with 
this setting or removing Apache [1].


john.

[1] As advised by the InCommon Technical Advisory Committee