Identifying What Certificates You Need

X.509 certificates are used for many purposes by Shibboleth. They are also needed for the SSL web servers usually used to host the Shibboleth components.

Potentially, this can result in an installation needing many different certificates. If you are just starting to experiment with Shibboleth, the situation is usually simpler though. In that case, Shibboleth and its corresponding web server are likely to be running on the same test machine, so a single certificate with its Common Name set to the DNS name of the test machine (e.g., shibbox.uni.ac.uk) can be shared by both. This will take the place of the localhost.crt certificate that comes with the Shibboleth distribution. Similarly, a Shibboleth identity provider (origin) and service provider (target) running on the same machine can share the same certificate.

In some cases, an identity provider may need more than one certificate. A known bug in Apache 2.x (not present in 1.3.x) can prevent the POST requests used by Shibboleth from working. No additional certificate is required with the recommended workround of putting the attribute authority in a virtual host on a separate port (usually 8443). However, if a separate IP address is used instead, as described at PostBug, then a separate certificate will be required too.