Appendix A: Sample SAML2 Metadata embedded certificate

This guide explains how to generate a X.509 certificate that meets the certificate requirements for the SWITCHaai federation. To custom-tailor the instructions please provide the hostname and the entityID of the Service Provider for which the certificate should be generated:

Fully Qualified Domain Name

entityID

OpenSSL configuration file (customized)

On a host where OpenSSL is installed, perform the following steps:

  1. Create an OpenSSL configuration file sp-cert.cnf with the following content:
    [req]
    RANDFILE=/dev/urandom
    default_bits=3072
    default_md=sha256
    encrypt_key=no
    distinguished_name=dn
    # PrintableStrings only
    string_mask=MASK:0002
    prompt=no
    x509_extensions=ext
    
    # customize the "default_keyfile,", "CN" and "subjectAltName" lines below
    default_keyfile=sp-key.pem
    
    [dn]
    CN=sp.example.org
    
    [ext]
    subjectAltName = DNS:sp.example.org, \
                     URI:https://sp.example.org/shibboleth
    subjectKeyIdentifier=hash
    
  2. Then run the following command:
    $ openssl req -new -x509 -config sp-cert.cnf -text -out sp-cert.pem -days 1096
  3. Use the resulting sp-cert.pem and sp-key.pem for your SAML Service Provider to sign and decrypt SAML assertions.

Certificate

The generated certificate should look like below if dumped with the command:

$ openssl x509 -in sp-cert.pem -nameopt show_type,sep_comma_plus_space -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:c4:36:0d:c8:49:4d:0b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=PRINTABLESTRING:sp.example.org
        Validity
            Not Before: Jun 12 14:27:22 2017 GMT
            Not After : Jun 12 14:27:22 2020 GMT
        Subject: CN=PRINTABLESTRING:sp.example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (3072 bit)
                Modulus (3072 bit):
                    00:ac:9f:92:45:f0:01:73:64:39:7f:10:2b:fa:e3:
                    22:f2:9b:85:43:fd:28:9f:f8:b0:6d:ec:23:ba:dd:
                    66:33:2a:ba:17:6f:f7:83:e4:8c:a7:0b:4c:0f:28:
                    59:5f:c6:ce:19:1f:b9:09:cd:28:6a:bb:0d:c6:36:
                    57:3d:75:a4:c8:b6:32:34:62:86:a0:62:50:6a:17:
                    ac:38:9e:1c:48:e9:7a:d8:4f:44:64:61:8e:c7:0d:
                    7e:23:ac:74:b1:53:b2:ae:ed:75:b6:3a:6e:71:b3:
                    46:6c:73:35:1f:ec:1c:c8:2a:b4:1e:10:e7:bc:77:
                    ba:99:25:10:8f:11:c8:86:d6:63:4f:94:3a:53:be:
                    51:d9:33:db:ea:b2:3f:44:7f:14:f4:5b:7f:38:60:
                    71:0a:ed:6c:77:d3:bf:f2:3b:f5:ae:92:ee:4c:83:
                    ff:12:a7:6f:8a:e0:19:8c:6b:2f:5f:74:a9:58:a6:
                    04:e3:43:be:d5:03:6e:fe:0b:77:1e:4c:8e:e7:bd:
                    1e:53:40:dd:1f:1f:b1:45:1a:e0:b2:5e:b0:44:d8:
                    43:69:bf:96:a9:de:ff:c8:7e:bd:bd:fc:82:12:99:
                    e4:29:2c:4c:31:7c:6d:73:cf:e2:ec:39:a0:23:e7:
                    89:5b:35:d1:ad:5e:55:7d:59:76:ca:68:81:b6:e5:
                    95:c8:7b:e1:fc:be:af:f9:ff:21:a1:6d:e1:4f:1c:
                    57:9a:d1:c7:3c:2e:31:3c:53:26:75:18:8b:be:5b:
                    bb:d1:8c:32:fb:fe:e6:df:1e:05:f1:3c:ad:91:3b:
                    74:1f:80:03:bf:f2:a9:d7:d4:6d:06:28:12:01:ac:
                    76:54:ce:c2:ae:1a:07:36:de:41:c6:85:f1:d6:4e:
                    34:d6:f3:15:0e:1f:11:9c:f0:c9:b6:3e:e6:fd:bc:
                    8e:44:40:68:37:8e:2e:a8:45:29:fe:29:ee:25:08:
                    a4:02:d9:49:aa:12:2c:ac:72:e1:ce:47:31:75:22:
                    ea:ed:a6:c9:87:e7:d5:24:5e:b7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:sp.example.org, URI:https://sp.example.org/shibboleth
            X509v3 Subject Key Identifier: 
                31:66:51:A8:6A:08:4C:DF:9F:2E:7E:B8:16:3C:71:09:AC:64:52:2A
    Signature Algorithm: sha256WithRSAEncryption
        a8:5f:e4:ac:18:a9:7a:12:a9:e6:3a:27:20:3a:f5:b1:8a:d0:
        99:b7:ee:be:32:5d:76:c6:d2:e9:cf:e2:3c:55:7b:d8:d4:18:
        19:62:67:f0:ca:26:de:56:bb:8d:e3:c5:5f:22:e9:a7:05:d8:
        b8:0f:b4:59:cb:f7:d8:85:0d:ad:b0:c6:bc:bf:df:fe:93:eb:
        52:6e:88:fc:e9:22:63:82:fb:65:b0:e0:64:4e:04:8c:6b:e4:
        6d:6a:25:38:28:c0:2d:8e:3f:4c:c1:a4:5a:0d:cf:8c:b9:39:
        ce:4a:37:22:ee:69:87:fe:88:1a:69:19:c6:08:79:7f:c7:28:
        90:cc:c8:03:a4:d4:ea:63:25:92:25:a3:69:15:32:26:58:10:
        c8:26:94:ed:a9:6e:34:aa:13:0a:89:69:2b:28:1c:3b:34:11:
        fe:cb:99:fd:9d:93:9a:55:b9:72:63:c7:34:65:b2:35:90:3d:
        6e:26:a5:db:97:45:29:c7:42:13:f0:79:01:5d:82:9c:27:92:
        15:99:11:ee:dc:ac:55:34:43:81:b7:a1:5f:e6:4e:c4:2a:84:
        23:2d:fa:f1:ee:1e:99:c3:04:1e:ef:15:1b:97:49:bd:73:37:
        d0:3f:fa:68:38:b0:67:1a:c0:1d:66:5f:d6:19:59:75:38:7f:
        1f:d1:e9:02:ae:a3:bf:29:8b:42:33:00:52:5d:af:e7:cc:1e:
        36:49:50:be:25:fa:37:8e:0e:a2:8b:35:40:12:38:23:ab:09:
        69:38:b1:b8:20:3d:9e:77:93:9c:e8:4c:d2:b5:d6:92:be:ad:
        0e:5d:fc:e5:4c:5f:4d:83:54:d3:b6:c8:56:86:48:44:bd:ba:
        44:bd:4e:b4:cd:db:f3:94:00:de:06:83:3c:d7:1f:67:59:f0:
        c0:ad:f3:ab:06:35:64:e3:92:21:88:43:9b:34:21:b1:90:66:
        4d:83:ef:33:d5:5c:64:b5:ce:f8:e9:50:08:0d:5c:44:26:f8:
        ff:18:5a:55:ad:d7
-----BEGIN CERTIFICATE-----
MIIEFDCCAnygAwIBAgIJAIjENg3ISU0LMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
BAMTDnNwLmV4YW1wbGUub3JnMB4XDTE3MDYxMjE0MjcyMloXDTIwMDYxMjE0Mjcy
MlowGTEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcwggGiMA0GCSqGSIb3DQEBAQUA
A4IBjwAwggGKAoIBgQCsn5JF8AFzZDl/ECv64yLym4VD/Sif+LBt7CO63WYzKroX
b/eD5IynC0wPKFlfxs4ZH7kJzShquw3GNlc9daTItjI0YoagYlBqF6w4nhxI6XrY
T0RkYY7HDX4jrHSxU7Ku7XW2Om5xs0ZsczUf7BzIKrQeEOe8d7qZJRCPEciG1mNP
lDpTvlHZM9vqsj9EfxT0W384YHEK7Wx307/yO/Wuku5Mg/8Sp2+K4BmMay9fdKlY
pgTjQ77VA27+C3ceTI7nvR5TQN0fH7FFGuCyXrBE2ENpv5ap3v/Ifr29/IISmeQp
LEwxfG1zz+LsOaAj54lbNdGtXlV9WXbKaIG25ZXIe+H8vq/5/yGhbeFPHFea0cc8
LjE8UyZ1GIu+W7vRjDL7/ubfHgXxPK2RO3QfgAO/8qnX1G0GKBIBrHZUzsKuGgc2
3kHGhfHWTjTW8xUOHxGc8Mm2Pub9vI5EQGg3ji6oRSn+Ke4lCKQC2UmqEiyscuHO
RzF1IurtpsmH59UkXrcCAwEAAaNfMF0wPAYDVR0RBDUwM4IOc3AuZXhhbXBsZS5v
cmeGIWh0dHBzOi8vc3AuZXhhbXBsZS5vcmcvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU
MWZRqGoITN+fLn64FjxxCaxkUiowDQYJKoZIhvcNAQELBQADggGBAKhf5KwYqXoS
qeY6JyA69bGK0Jm37r4yXXbG0unP4jxVe9jUGBliZ/DKJt5Wu43jxV8i6acF2LgP
tFnL99iFDa2wxry/3/6T61JuiPzpImOC+2Ww4GROBIxr5G1qJTgowC2OP0zBpFoN
z4y5Oc5KNyLuaYf+iBppGcYIeX/HKJDMyAOk1OpjJZIlo2kVMiZYEMgmlO2pbjSq
EwqJaSsoHDs0Ef7Lmf2dk5pVuXJjxzRlsjWQPW4mpduXRSnHQhPweQFdgpwnkhWZ
Ee7crFU0Q4G3oV/mTsQqhCMt+vHuHpnDBB7vFRuXSb1zN9A/+mg4sGcawB1mX9YZ
WXU4fx/R6QKuo78pi0IzAFJdr+fMHjZJUL4l+jeODqKLNUASOCOrCWk4sbggPZ53
k5zoTNK11pK+rQ5d/OVMX02DVNO2yFaGSES9ukS9TrTN2/OUAN4GgzzXH2dZ8MCt
86sGNWTjkiGIQ5s0IbGQZk2D7zPVXGS1zvjpUAgNXEQm+P8YWlWt1w==
-----END CERTIFICATE-----

Display the SHA1 fingerprint of a certificate with this command

$ openssl x509 -noout -fingerprint -sha1 -in sp-cert.pem

SHA1 Fingerprint=5A:04:3B:BC:DD:B8:10:EE:C8:0D:E0:41:80:B9:4A:AE:1C:49:32:48