• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates

How To Obtain a Test Certificate

Since the beginning of 2009 it is possible to use almost any commercial certificates and even self-signed certificates for AAI as described on the AAI Certificate Acceptance page. Therefore, the AAI Test certificates are no longer issued and also are not accepted anymore in the Resource Registry because they don't meet the new certificate requirements.

If you don't want to buy a commercial certificate, just generate a self-signed one. For Service Providers, you can use the /etc/shibboleth/keygen.sh script to generate certificates that meet the requirements for SWITCHaai and AAI Test. Use keygen.sh -y 3 -h #HOSTNAME# -e https://#HOSTNAME#/shibboleth to generate a sp-key.pem and sp-cert.pem in your /etc/shibboleth/ directory.

For Identity Providers, the certificate/key pair is automatically generated during installation time. However, they length of the generated certificate is too long (20 years instead of 3 years). Therefore, it might be necessary go generate a new pair using the instructions of our Identity Provider deployment guides.

Certificate Chain File: aaitestca.crt

It contains the chain of certificates for AAI Test server certificates up to the AAI Test CA self-signed root certificate.

It contains the CA root certificates used as trust anchors for the AAI Test federation.

Configure the following SSL directives in Apache 1.3 /etc/apache/httpd.conf or Apache 2.0 /etc/apache2/ssl.conf:

# Server Certificate:
#    Point SSLCertificateFile at a PEM encoded certificate. If
#    the certificate is encrypted, then you will be prompted for a
#    pass phrase. Note that a kill -HUP will prompt again. A test
#    certificate can be generated with `make certificate' under
#    built time. Keep in mind that if you've both a RSA and a DSA
#    certificate you can configure both in parallel (to also allow
#    the use of DSA ciphers, etc.)
SSLCertificateFile /etc/apache/ssl.crt/<HOST.DOMAIN.CH>.test.crt

# Server Private Key:
#    If the key is not combined with the certificate, use this
#    directive to point at the key file. Keep in mind that if
#    you've both a RSA and a DSA private key you can configure
#    both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache/ssl.key/<HOST.DOMAIN.CH>.test.key

# Server Certificate Chain:
#    Point SSLCertificateChainFile at a file containing the
#    concatenation of PEM encoded CA certificates which form the
#    certificate chain for the server certificate. Alternatively
#    the referenced file can be the same as SSLCertificateFile
#    when the CA certificates are directly appended to the server
#    certificate for convenience.
SSLCertificateChainFile /etc/apache/ssl.crt/aaitestca.crt

# Certificate Authority (CA):
#    Set the CA certificate verification path where to find CA
#    certificates for client authentication or alternatively one
#    huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.aaitest.crt

# Client Authentication (Type):
#    Client certificate verification type and depth. Types are
#    none, optional, require and optional_no_ca. Depth is a
#    number which specifies how deeply to verify the certificate
#    issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
SSLVerifyDepth 10 -->