The following signing certificate (public key) is issued for the Technology Preview environment. If you are looking for the production key, see production metadata signing key.
Certificate Fingerprint:
SHA512 Fingerprint=63:DC:31:7A:FE:C0:ED:95:EF:82:B3:49:D0:AC:8E:50:62:27:47:2F:D7:DE:34:46:0B:DA:88:1E:F8:B3:DA:21:AE:04:78:22:E6:49:D8:39:CD:C9:35:FD:E3:69:15:8D:86:3D:8B:16:14:E7:C6:FA:F0:D5:F8:DB:4D:42:85:46
SHA384 Fingerprint=39:8F:D8:9D:AB:1F:43:AA:23:DE:C7:76:59:EB:60:C9:FE:21:61:95:F4:14:FC:DD:B8:CE:25:A1:44:B1:0C:D5:F7:7B:B4:0F:B3:CD:BB:AC:1A:CF:83:A7:56:25:3C:A5
SHA256 Fingerprint=F6:F4:22:4C:25:E3:E6:4E:E7:9E:95:00:2E:BF:02:07:6A:00:53:C1:13:75:D0:9E:DD:1F:51:77:E4:0F:94:42
SHA1 Fingerprint=CF:A8:7A:57:00:6E:05:09:CD:63:A1:49:1B:4B:F8:46:98:DD:3A:38
Fingerprints will also be posted on ops.incommon.org like the legacy signing certificate at a later date.
Certificate:
incommon-mdq.pem
-----BEGIN CERTIFICATE-----
MIIEXjCCAsYCCQDpxz3q+NIrLTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJV
UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
CgwJSW50ZXJuZXQyMREwDwYDVQQLDAhJbkNvbW1vbjEUMBIGA1UEAwwLTURRIFBy
ZXZpZXcwHhcNMTkwMjA2MTgwMjQ0WhcNMzkwMjAzMTgwMjQ0WjBxMQswCQYDVQQG
EwJVUzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAG
A1UECgwJSW50ZXJuZXQyMREwDwYDVQQLDAhJbkNvbW1vbjEUMBIGA1UEAwwLTURR
IFByZXZpZXcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCRtPhg50rb
XRrXL7xEa57438Ys7+cXTgGLBQNAXh/kVijSiVqBtwZTDHExWWDqUU8UMXs/BM84
1rQ0yKoWkRAu4grU52mNP0jBHCPX59N2r1VUmX1k0uQ3zPJ962l7MmEosMFmszLv
I6aDtyh20wo6jLjUsssHEG8IYodurm9ry0SD+Mnv2fNxijibDyE+ZRvIHvXO92Hd
xfZehfWQ8wIdO2z44/hgyya+tVYSLhCxWwRiicPapBOLOU5UsCGLvs6md3GKA+uH
qZBq+EIHjeFdgbFjQevOgiZRfoexOe4iXSEvnb6jB6u1rz6/7GcyXJAc4WD9WP2V
M7Re5GCXSr6uCNWCgdi7yxIFG7PiEEHXiU5C+2/5nl5wf7+dFAgn68P+O/Z26k/a
sZTkYvjMqYgeXm2b+INB6EstNjXKqIJkMoy72yaN/1yjEYnOhzv8/qYu5pLMdLgc
muUrvisxt+OlKNk7D3qARxzvYtw7oyczasfgMF426oFxnQiNV/2g4mUCAwEAATAN
BgkqhkiG9w0BAQsFAAOCAYEAXHaMqV8HV3sQBWZgzI8yDz7HQjHtXYdJpcALsQlm
Rxh9ND1Cz4DxS6wMFyccUbOUizPs3JrECL/APc71+gg4FnJLPboyGn2zINxcnOce
WnXL8QMIyhdT9jdJ909WespVaCsBq75YZ1Yja6dOUZnciBfwag42gMgUTMPyEeuk
CO00B7BBnc8hrfp5+l+wi9OhtWoNCjXtPuaeLBe10PuTuWMQxhKzW8MCbrKpoWVR
V5jhIghLCdJDB1/3UR52C6IEnFMwO6q91n5q2F9Lja2k4BGed9d1/6qVjSxqHm0c
Q0xkeg4FGsKuex7tc2Ulk2qzTYDSSNVEcbGjzUT27ZBOuBH5txJBKQhfcP15I7Wd
giPjpnVAhUkWVuAGneaBKYBF5NOBXLD3QZXWa2g/sBtJMHkI+uWD3y7qbGPW1qAc
U/t5KtGKTUSTnf5FaTvyLqZCGfv4ZhIx+3sXLcnWy1YPlE1fiYUZ7mKOCInCrRuV
4eMqDtiFDJzvbmmPZVv1/GcT
-----END CERTIFICATE-----
|
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl and openssl to perform the first two steps of the bootstrap process:
$ openssl x509 -sha1 -noout -fingerprint -in incommon-mdq.pem
SHA1 Fingerprint=CF:A8:7A:57:00:6E:05:09:CD:63:A1:49:1B:4B:F8:46:98:DD:3A:38
$ openssl x509 -sha256 -noout -fingerprint -in incommon-mdq.pem
SHA256 Fingerprint=F6:F4:22:4C:25:E3:E6:4E:E7:9E:95:00:2E:BF:02:07:6A:00:53:C1:13:75:D0:9E:DD:1F:51:77:E4:0F:94:42
$ openssl x509 -sha384 -noout -fingerprint -in incommon-mdq.pem
SHA384 Fingerprint=39:8F:D8:9D:AB:1F:43:AA:23:DE:C7:76:59:EB:60:C9:FE:21:61:95:F4:14:FC:DD:B8:CE:25:A1:44:B1:0C:D5:F7:7B:B4:0F:B3:CD:BB:AC:1A:CF:83:A7:56:25:3C:A5
$ openssl x509 -sha512 -noout -fingerprint -in incommon-mdq.pem
SHA512 Fingerprint=63:DC:31:7A:FE:C0:ED:95:EF:82:B3:49:D0:AC:8E:50:62:27:47:2F:D7:DE:34:46:0B:DA:88:1E:F8:B3:DA:21:AE:04:78:22:E6:49:D8:39:CD:C9:35:FD:E3:69:15:8D:86:3D:8B:16:14:E7:C6:FA:F0:D5:F8:DB:4D:42:85:46
|
You can also check downloaded metadata against the signing cert for validity. You will need to first download xmlsectool here: http://shibboleth.net/downloads/tools/xmlsectool/
$ curl -s -o internet2-idp-metadata.xml http://mdq-preview.incommon.org/entities/urn:mace:incommon:internet2.edu
$ xmlsectool.sh --verifySignature --certificate incommon-mdq.pem --inFile internet2-idp-metadata.xml
<Output goes here>
|
More information on xmlsectool is available here: https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home