SWITCHaai CA Acceptance Policy

Whenever a Shibboleth entity communicates with another entity, it first verifies the partners identity by means of an X.509 server certificate.

Such a certificate gets verified against the entities' embedded certificate in the SAML2 metadata or against the list of CA (Certification Authority) root certificates.

Certificates_Overview_small.png

Overview

  1. Embedding a certificate in metadata is required for new IdP and SP installations. It scales much better and provides better security.
  2. For backwards compatibility only, the list of accepted root CA certificates is still supported for existing installations. However, this list of CAs is frozen and its use is deprecated as of September 2008.

List of Accepted CA Root Certificates

The list of root CA certificates was kept reasonably short and stable for manageability reasons. On the other hand, it had to be possible and practicable for Federation Members and Federation Partners to obtain a trusted server certificate.
This list is deprecated as of September 2008.

If you are interested in more detailed information on involved certificates and validation, have a look at the certificate overview page.

Server certificates signed by the following CA root certificates are still accepted for existing installations:

SWITCHaai Federation (production)

These certificates are best downloaded from the web pages of the organizations that provide them. For convenience you also can download them directly from this page as collection of X.509 certificates or as Java keystore file.

Important Note: Please make sure that the certificate for your Service Provider (the certificate that is used for the SSL connection to the Identity Provider) doesn't have an extension that prevents its use for client authentication:
If the X.509 extension Netscape Cert Type is set, it has to be set to SSL Server, SSL Client or in case of the Extended key usage, it has to be set to TLS Web Server, TLS Web Client. If the extensions are not present, the certificate will also be o.k..

For Apache Client Authentication
ca-bundle.switchaai.crt (all SWITCHaai CAs), please also consult README.txt for fingerprints and additional information
For Tomcat Client Authentication
truststore.switchaai.jks (all SWITCHaai CAs, password: changeit), please also consult README.txt for fingerprints and additional information

If you decide to use SWITCHpki certificates, there are two ways to get such a certificate:

You are already participating in the SWITCHpki program
Follow the steps described on the SWITCHpki certificate page.
You are a SWITCHaai Federation Partner
Follow the steps described on the SWITCHaai partner certificate page.

AAI Test Federation (test)

In order to join the AAI Test federation as quickly as possible, request an AAI Test certificate. Just follow the steps described in AAI Test certificate page.

For Apache Client Authentication
ca-bundle.aaitest.crt (all AAI Test CAs)
For Tomcat Client Authentication
truststore.aaitest.jks (all AAI Test CAs, password: changeit)

Acceptance of Additional CA Root Certificates

The above list for SWITCHaai is frozen as of September 2008. No further Root CAs get added.
Instead, you now embed a certificate in metadata. It scales much better and provides better security.

Removal of CA Root Certificates

On February 23 2010, the following Root CAs were removed from the above list and the bundle files because they are not used anymore, are deprecated or will soon expire:

  • EPFL Root CA
  • SwissSign Root CA
  • TC TrustCenter (Class 2) CA
  • TC TrustCenter (Class 3) CA