Getting Certificates for an OpenAthens LA IdP installation

To set up an OpenAthens IdP entity within the UK federation you will normally require two X.509 digital certificates:

  • a trust-fabric certificate for machine-to-machine use, and
  • a browser-facing certificate that users will see

These two certificates are used for different purposes and have different properties:

  • A self-signed certificate with a lifetime of 10 or 20 years is recommended for the trust fabric certificate
  • An SSL certificate from a commercial Certification Authority (CA) is required for the browser-facing certificate

A key length of 2048 bits is recommended for all certificates, and and new trust fabric certificates must have a key length of at least 2048 bits. We recommend 2048 bits, as longer keys provide no additional practical security but are more computationally expensive for all parties.

Generating an OpenAthens LA IdP trust-fabric certificate

For a new installation

You do not normally need to take any action to acquire a trust-fabric certificate for a new installation, as a suitable certificate is generated automatically by the OpenAthens LA software. The certificate appears in the metadata at the metadata URL for your installation and is in the software configuration.

If you do need to generate a new certificate at this point, please contact Eduserv for details.

Replacement for an existing installation

Please contact Eduserv for details of how to generate the new certificate.

Replacing an OpenAthens LA trust-fabric certificate

A trust fabric certificate should be replaced before it expires. When replacing an embedded OpenAthens LA IdP trust fabric certificate with a new one generated as above, we recommend that you follow the steps described below. Please note that this process may take between several days and several weeks so that updated metadata can propagate to federation SPs, so plenty of time should be allocated. If you aren't familiar with the process then allow at least a month.

  1. email the new certificate to us and ask us to add it to the registered IdP metadata in the federation in addition to the old one. Please do not send us the private key.
  2. wait for a few days or a week, to allow the metadata to propagate to federation SPs
  3. Update your OpenAthens LA IdP configuration to use the new certificate
  4. test using the UK federation test SP and check in your IdP logs that the IdP is using the new certificate.If you can't tell then please ask the UK federation support team to check the test SP log for you.
  5. ask us to remove the old certificate from the metadata

Please note: There should be no loss of service with most federation SPs if the above procedure is followed, but there are some SPs that are unable to handle the presence of more than one certificate in an IdP's metadata. We recommend you aim to keep the time at which two certificates are together in the metadata short to reduce service disruption with any such SPs.

Acquiring and replacing a browser-facing certificate

Here are details of acquiring a browser-facing certificate.

The browser-facing SSL certificate does not appear in metadata (unless it happens also to be the trust fabric certificate). Please contact Eduserv for configuration details for the browser-facing certificate.