• BackLinks
• Search
• Print

Getting Certificates for a Shibboleth 2.x SP installation

To set up a Shibboleth 2.x SP entity within the UK federation you will normally require two X.509 digital certificates:

• a trust-fabric certificate for machine-to-machine use, and
• a browser-facing certificate that users will see.

These two certificates are used for different purposes and have different properties. A self-signed certificate with a lifetime of 10 or 20 years is recommended for the trust fabric certificate. An SSL certificate is required for the browser-facing certificate. A key length of 2048 bits is recommended for all certificates.

To avoid confusion, they may be stored in files named after the fully qualified domain name of the host server, but with different suffices, for example:

• host.uni.ac.uk.ss.crt for the trust-fabric certificate
• host.uni.ac.uk.crt for the browser-facing certificate

You do not normally need to take any action to acquire a trust-fabric certificate, as a suitable certificate is generated automatically by the Shibboleth 2.x SP installation script. (See the section Certificate credentials in our Shibboleth 2 SP configuration guide for further details.)

If you no longer have the certificate and key pair generated at installation, or you need to create a new certificate and key pair for some other reason, then you can use the keygen script which is in the service provider installation directory; it will be called keygen.sh or keygen.bat depending on the operating system. Use the -h option to see usage information.

Here are details of acquiring a browser-facing certificate.

Helpdesk | Privacy Policy | Website Info
© The JNT Association - JANET(UK), Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0SG
Tel: 0300 300 2212 (UK), +44 1235 822 212 (International)