Making the Trust-Fabric Certificate

For the trust-fabric certificate for a service provider, the federation recommends a long-lived (10 to 20 years) self-signed certificate, and requires a key length of at least 2048 bits. We recommend 2048 bits, as longer keys provide no additional practical security but are more computationally expensive for all parties.

A suitable private key and certificate can be created in a single step using OpenSSL. On Red Hat and some other Linux distributions, OpenSSL is part of the standard distribution. For other operating systems, Windows binaries of OpenSSL and source packages for Unix systems are available via http://www.openssl.org. OpenSSL also comes bundled with some Windows binary versions of Apache httpd.

Bear in mind that you may need to seed OpenSSL's random number generator properly after installation; see the OpenSSL documentation for "openssl genrsa -rand".

The following OpenSSL command generates a private key file private.ss.key and a self-signed certificate file certificate.ss.crt where the key length is 2048 bits and the lifetime of the certificate is 10 years:

  openssl req -x509 -newkey rsa:2048 -keyout private.ss.key 
    -nodes -sha256 -days 3650 -out certificate.ss.crt -extensions usr_cert

The -extensions part may be omitted if usr_cert or equivalent is not available in your system's openssl.cnf configuration, causing an error. It gives the generated certificate the form appropriate for an end-user certificate rather than a CA certificate, but this is not essential.

You will be prompted by the command to enter the Distinguished Name details for the certificate: country, organisation name and so on. The only one of these that is important for the trust-fabric certificate is the CN (Common Name), which for an identity provider must match the fully qualified domain name of the Attribute Authority (AA)'s URL (e.g., shibbox.uni.ac.uk). Even that is not required for a service provider, although making the CN match the DNS name of the server is conventional. It should be lower case, in line with standard practice for domain names.

Make sure that the generated private key is not readable by anyone else (often the default is that files are readable by others). To make a file inaccessible by other users (except system administrators):

 chmod go= private.ss.key

The private key and certificate files should be kept safe. If you lose either, you will need to register a new certificate with the federation. At a minimum:

  • Ensure that there is a backup of the files and that the backup key is not readable by other users.

Certificate Renewal

A copy of the trust-fabric certificate for your entity is embedded in the federation's published metadata. Changing it would therefore require a formal request to the federation. To minimise the need for this, it is given a much longer lifetime than most CAs allow, which is possible because it is never seen by users' browsers.