• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates

How To Update Server Certificates for Shibboleth

X.509 server certificates are usually valid for one year, sometimes a few years. Renewal is essential for the proper function of Shibboleth an therefore for the AAI infrastructure. This page gives advice for Identity Provider and Service Provider Administrators.

Updating the Server Certificate

In general, updating the server certificate involves the same steps as getting a new certificate:

1. generate the private key
2. generating a certificate signing request (CSR)
3. get the signed server certificate

For use with Shibboleth, the certificate should be in PEM format, encoded as X.509 standalone certificates with the certificate chain. Participants of SWITCHpki forward the request to the person responsible for certificates in their organisation. Consult the SWITCHpki Certificate Management pages for instructions.

Service Provider Configuration

Linux / Solaris

The certificate and key files are used by the Shibboleth Daemon (shibd). Their locations are configured in the file shibboleth.xml.

In case the certificate is shared between Apache and Shibboleth, they typically reside in /etc/apache/ssl.key/www.example.edu.key and /etc/apache/ssl.crt/www.example.edu.crt.

Windows

The certificate and key are used by the Shibboleth Daemon (shibd) service. Copy the certificate / private key file to the appropriate location (as configured in shibboleth.xml):

C:/opt/shibboleth-sp/etc/shibboleth/www.example.edu.key
C:/opt/shibboleth-sp/etc/shibboleth/www.example.edu.crt