Getting Certificates for a Service Provider

(Separate information is provided for getting certificates for a Shibboleth 2.x SP.)

To set up a service provider within the UK federation according to current recommendations, you will normally require two X.509 digital certificates:

• a trust-fabric certificate for machine-to-machine use, and
• a browser-facing certificate that users will see; this must be an SSL certificate from an external Certification Authority (CA)

These two certificates are used for different purposes and have different properties:

• A self-signed certificate with a lifetime of 10 or 20 years is recommended for the trust fabric certificate
• An SSL certificate is required for the browser-facing certificate

A key length of 2048 bits is recommended for all certificates, and a key length of at least 2048 bits is mandatory for trust fabric certificates. We recommend 2048 bits, as longer keys provide no additional practical security but are more computationally expensive for all parties.

Wildcard certificates are not recommended as SP trust fabric certificates.

To avoid confusion, certificates may be stored in files named after the fully qualified domain name of the host server, but with different suffices, for example:

• host.uni.ac.uk.ss.crt for the trust-fabric certificate
• host.uni.ac.uk.crt for the browser-facing certificate

It is usually a good idea to ensure that each certificate is stored in just one place in the file system (rather than having multiple scattered copies), so that when a certificate is changed only a single copy of each file must be modified and every reference to the certificate is then automatically updated.

Details of acquiring these two types of certificate follow:

• Trust-Fabric Certificate
• Browser-Facing Certificate

Replacing an SP trust-fabric certificate

A trust fabric certificate should be replaced before it expires. When replacing an embedded trust fabric certificate for an SP without SAML 2 support we recommend that you follow the steps described below.

Separate information is provided for replacing a certificate for a Shibboleth 2.x SP with SAML 2 support.

For other software, please consult the software documentation or the software vendor's support.

Please note that this process may take between several days and several weeks so that updated metadata can propagate to federation IdPs, so plenty of time should be allocated. If you aren't familiar with the process then allow at least a month.

1. ask the UK federation support team to add the new certificate to the registered SP metadata in the federation in addition to the old one
2. wait for a few days or a week, to allow the metadata to propagate to federation IdPs
3. update your SP configuration to use the new certificate - please consult your software documentation or software vendor for details
4. test using an IdP to which you have access, or ask a client to test, or use the UK federation test IdP, and check that the SP is using the new certificate
5. ask the UK federation support team to remove the old certificate from the metadata

There should be no loss of service if that procedure is followed.

Please note that if your SP is registered in multiple federations, then you will need to ensure that any certificate replacement is co-ordinated across federations.