Multiple certificates for an entity

32 views
Skip to first unread message

Jacob Christiansen

unread,
Apr 7, 2010, 7:37:07 AM4/7/10
to simple...@googlegroups.com
Hi.

i have an IdP running and it is connected to multiple services. Is it possible to put multiple certificates on the individual services? The reason for this is that certs on the services are running out and they need to be changed. To do this more easily I would like to apply the ned cert to the IdP before they are changed on the service, so the change on the service will not be noticed by the end user.

Regards

Jacob Christiansen
System Developer
WAYF

Olav Morken

unread,
Apr 7, 2010, 8:21:07 AM4/7/10
to simple...@googlegroups.com
On Wed, Apr 07, 2010 at 13:37:07 +0200, Jacob Christiansen wrote:
> Hi.
>
> i have an IdP running and it is connected to multiple services. Is it
> possible to put multiple certificates on the individual services? The
> reason for this is that certs on the services are running out and
> they need to be changed. To do this more easily I would like to apply
> the ned cert to the IdP before they are changed on the service, so
> the change on the service will not be noticed by the end user.

Just to be clear: You need to replace the certificate and private key
on the IdP, and would like to add multiple certificates for the IdP on
the SPs, so that you can switch the certificate and private key on the
IdP without switching the certificate at the SPs at the same time?

If the SPs use the certFingerprint metadata option, and have manually
configured metadata, it should be possible to make the certFingerprint
option an array. simpleSAMLphp will then accept both entries in
the certFingerprint array.

Unfortunately, the following is not yet supported:
- The 'cert' option as an array of filenames.
- The 'certData' option as an array of certificates.
- Automatic extraction of multiple certificates from metadata.

It has been on my TODO-list for a while, but I have not yet had the
time to implement it.


(Btw.: I am not aware of any software that checks the expiration
timestamp of the certificate in the metadata, and I believe the general
recommendation is to treat the certificate as a carrier of a public
key, ignoring the other options in it. The SAML V2.0 Metadata
Interoperability Profile[1] specifies this behaviour on lines 331-335.)


[1] http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cs-01.pdf

--
Olav Morken
UNINETT / Feide

Jacob Christiansen

unread,
Apr 7, 2010, 8:24:15 AM4/7/10
to simple...@googlegroups.com
Actually it is the other way around. The SP's are changing certificates and I would like to be able to include the new certs from the services on the IdP before the services change to their new cert.

Regards

Jacob Christiansen
System Developer
WAYF

Olav Morken

unread,
Apr 7, 2010, 9:21:32 AM4/7/10
to simple...@googlegroups.com
On Wed, Apr 07, 2010 at 14:24:15 +0200, Jacob Christiansen wrote:
> Actually it is the other way around. The SP's are changing
> certificates and I would like to be able to include the new certs
> from the services on the IdP before the services change to their new
> cert.

Sorry, I misread your original mail. Unfortunately, multiple
certificates on an SP makes it more difficult, since you cannot use the
certFingerprint option on the SP metadata. The certFingerprint option
only works if the certificate is included in the request. The SP will
only send authentication requests and logout messages, all of which use
the HTTP-Redirect binding, which cannot carry the certificate.

Reply all
Reply to author
Forward
0 new messages