Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] Cambridge University Press - X509 certificate rollover help

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] Cambridge University Press - X509 certificate rollover help


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] Cambridge University Press - X509 certificate rollover help
  • Date: Thu, 16 Oct 2014 00:54:49 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.216) ;

On 10/15/14, 8:14 PM, "Jarvy A Alvarez"
<>
wrote:
>
>Seeking for your assistance please on how we can proceed with the key
>"rollover" process.

InCommon's documentation is [1].

Shibboleth's, which uses a slightly different process that also works is
[2].

Either works, and I don't know what you're following, but the answer is,
read one of them and do that. If you don't understand something in it,
then ask.

>Our X509 certificate will expire 19th of Oct 2014 and we have already
>initiated the first step
>(already deployed in live the chaining in our SP configuration). Our
>updated metadata can be
>found at the link provided below:
>
>https://shibboleth.cambridge.org/Shibboleth.sso/Metadata

No, your metadata is what you have registered with the federation. What
you self-publish is not relevant to either key rollover or anybody else's
production system.

>Please let us know of the things you may require before we can proceed.

Your certificate expiring only breaks non-conformant software, such as
ADFS. I don't know who "you" is that you're referring to, but for many of
us, the answer is that we don't require anything really.

Whether you care depends on whether you have partners/customers using
non-conformant software that you need to accomodate by rolling over the
certificate. Most of the time, the reason to roll the cert is to just
avoid that question by making sure what's registered isn't expired. Your
primary mistake was in registering one that expired so soon. They should
be set to last 20 or more years. So make sure you don't repeat that
mistake.

-- Scott

[1] https://spaces.internet2.edu/display/InCFederation/SP+Cert+Migration
[2]
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMultipleCreden
tials




Archive powered by MHonArc 2.6.16.

Top of Page