Getting Certificates for an OpenAthens SP installation

To set up an OpenAthens SP entity within the UK federation you will normally require two X.509 digital certificates:

  • a trust-fabric certificate for machine-to-machine use, and
  • a browser-facing certificate that users will see

These two certificates are used for different purposes and have different properties:

  • A self-signed certificate with a lifetime of 10 or 20 years is recommended for the trust fabric certificate
  • An SSL certificate is required for the browser-facing certificate

A key length of 2048 bits is recommended for all certificates, and new trust fabric certificates must have a key length of 2048 bits or more. We recommend 2048 bits, as longer keys provide no additional practical security but are more computationally expensive for all parties.

To avoid confusion, they may be stored in files named after the fully qualified domain name of the host server, but with different suffices, for example:

  •   for the trust-fabric certificate
  •   for the browser-facing certificate

Acquiring an OpenAthens SP trust-fabric certificate

You do not normally need to take any action to acquire a trust-fabric certificate, as a suitable certificate and key pair is generated automatically by the OpenAthens SP software. The certificate appears in the metadata at the metadata URL for your installation and is in the software configuration.

Please contact Eduserv for details.

Replacing an OpenAthens SP trust-fabric certificate

A trust fabric certificate should be replaced before it expires. When replacing an embedded an OpenAthens SP trust fabric certificate we recommend that you follow the steps described below. Please note that this process may take between several days and several weeks so that updated metadata can propagate to federation IdPs, so plenty of time should be allocated. If you aren't familiar with the process then allow at least a month.

To summarise the process:

  1. ask the UK federation support team to add the new certificate to the SP metadata in addition to the old one, and wait for a few days, to allow the metadata to propagate to federation IdPs
  2. add the new certificate and key to your SP configuration
  3. ask the UK federation support team to remove the old certificate from the metadata, and wait another few days to allow the metadata to propagate
  4. remove the old key pair from your SP configuration

There may be some service disruption for SAML 2 capable SPs if IdPs attempt to use the new certificate for encryption before it has been added to the SP configuration. If this occurs then we suggest you move to step 2 as quickly as possible.

Please note that if your SP is registered in multiple federations, then you will need to ensure that any certificate replacement is co-ordinated across federations.

Acquiring a browser-facing certificate

Here are details of acquiring a browser-facing certificate.