How To Obtain a SWITCHaai Partner Certificate
Federation Partners should use one of the accepted certificates and not a SWITCHaai Partner Certificate anymore.
The use of new SWITCHaai Partner Certificates is deprecated since the certificate acceptance was changed in September 2008.
Federation Partner Certificates were once introduced to provide Federation
Partners with minimal effort a certificate from a CA accepted by the
SWITCHaai federation. These certificates will then be used for the
communication between the Shibboleth SP of the Federation Partner and
the Shibboleth IdPs of the Federation Members.
In the following, PARTNER-NAME will have to be replaced by the fully qualified name allocated to each Federation Partner by SWITCHaai, like e.g. testing.partner-switchaai.ch.
In case a key generated in Step 0 should ever get compromised, the Federation Partner MUST notify SWITCHaai and will from then on have to use a newly allocated name.
Windows
To get a Windows binary of openssl, go to http://www.openssl.org/related/binaries.html.
See this page for additional information about the installation.
Step 0: Generate an RSA Key
The first step is to generate a new RSA key using OpenSSL.
The following command generates an RSA 2048 bits key in PEM format.
cd /etc/shibboleth openssl genrsa -des3 -out PARTNER-NAME.enckey 2048 chmod 400 PARTNER-NAME.enckey
It is also possible to generate an unencrypted key file directly (see the section below). The command is:
openssl genrsa -out PARTNER-NAME.key 2048
Optionally remove the existing pass phrase from the key
Be aware that the private key is now unprotected and therefore must be kept in a secure location with limited access rights for the shibboleth daemon.
cd /etc/shibboleth openssl rsa -in PARTNER-NAME.enckey \ -out PARTNER-NAME.key chmod 400 PARTNER-NAME.key
Step 1: Generate a Certificate Signing Request (CSR)
We assume that the key is in a file PARTNER-NAME.enckey
Generate a CSR (Certificate Signing Request):
openssl req -new -key PARTNER-NAME.enckey \ -out PARTNER-NAME.csr
You will be prompted for the following fields:
Country Name: CH State or Province Name: . (enter "." to provide an empty field) Locality Name: . (enter "." to provide an empty field) Organization Name: . (enter "." to provide an empty field) Common Name: PARTNER-NAME (fully qualified name) EMail: . (enter "." to provide an empty field)
Do not provide 'Alternative Names' in the CSR, this is not necessary for partner certificates
Step 2: Submit the Certificate Signing Request to SWITCHaai
Send the PARTNER-NAME.csr file you just generated by e-mail to aai@switch.ch and you will receive the certificate soon.
Step 3: Add the Key and the Certificate to your Shibboleth SP Configuration
In shibboleth.xml, add a <RelyingParty> element to the
<CredentialUse> element. Your existing credentials are named
"defcreds" in this example.
<CredentialUse TLS="defcreds" Signing="defcreds"> <RelyingParty Name="urn:mace:switch.ch:SWITCHaai" TLS="switchaai-partner-creds" Signing="switchaai-partner-creds"/> </CredentialUse>
Then add a new <FileResolver> element with the paths to the new key
and the new certificate to the <Credentials> element which itself is
part of the <CredentialsProvider> element.
<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials"> <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> <FileResolver Id="defcreds"> <Key> <Path>/etc/shibboleth/sp-example.key</Path> </Key> <Certificate> <Path>/etc/shibboleth/sp-example.crt</Path> </Certificate> </FileResolver> <FileResolver Id="switchaai-partner-creds"> <Key format="PEM"> <Path>/etc/shibboleth/PARTNER-NAME.key</Path> </Key> <Certificate format="PEM"> <Path>/etc/shibboleth/PARTNER-NAME.crt</Path> </Certificate> </FileResolver> </Credentials> </CredentialsProvider>