Since the beginning of 2009 it is possible to use self-signed or almost any commercial certificates for AAI as described on the AAI Certificate Acceptance page. Therefore, certificates issued by the "AAI Test CA" are no longer provided (the CA certificate expired in 2011, in any case).
We recommend to generate a self-signed certificate. For Service Providers, you can use the keygen.sh
script to generate certificates that meet the requirements for SWITCHaai and AAI Test. Use keygen.sh -y 3 -h #HOSTNAME# -e https://#HOSTNAME#/shibboleth
to generate a sp-key.pem
and sp-cert.pem
in your /etc/shibboleth/
directory.
For Identity Providers, the certificate/key pair is automatically generated during installation time. Make sure that you set the IdPCertLifetime
environment variable accordingly when executing install.sh
, as documented in our Identity Provider deployment guide.