• BackLinks
• Search
• Print

Identifying What Certificates You Need

X.509 certificates are used for many purposes by Shibboleth. They are also needed for the SSL web servers usually used to host the Shibboleth components.

Potentially, this can result in an installation needing many different certificates. If you are just starting to experiment with Shibboleth, the situation is usually simpler though. In that case, Shibboleth and its corresponding web server are likely to be running on the same test machine, so a single certificate with its Common Name set to the DNS name of the test machine (e.g., shibbox.uni.ac.uk) can be shared by both. This will take the place of the localhost.crt certificate that comes with the Shibboleth distribution. Similarly, a Shibboleth identity provider (origin) and service provider (target) running on the same machine can share the same certificate.

In some cases, an identity provider may need more than one certificate. A known bug in Apache 2.x (not present in 1.3.x) can prevent the POST requests used by Shibboleth from working if "SSLVerifyClient optional" or "SSLVerifyClient required" (one or the other is needed for the Shibboleth attribute authority) is placed within a <Location> container. No extra certificates are required for the workrounds of either setting "SSLVerifyClient optional" globally or putting the handle server and attribute authority in separate virtual hosts on separate port numbers. However, if separate IP addresses are used, as described at PostBug, then separate certificates will be required too.