Date: Fri, 29 Mar 2024 14:19:32 +0000 (UTC) Message-ID: <1889914296.8085.1711721972818@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_8084_1573038920.1711721972817" ------=_Part_8084_1573038920.1711721972817 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The InCommon metadata signing certificate is a long-lived, self= -signed certificate containing the public key corresponding to the private = metadata signing key. See: Metadata signing key for the Production environment.
To ensure that the metadata you retrieved from InCommon has not been tam= pered with by intermediate devices/agents, you must verify the XML signatur= e on each and every metadata you consume. To do that, you need an authe= ntic copy of the metadata signing certificate. The certificate must be= obtained securely since all subsequent operations depend on it.
To obtain an authentic copy of the metadata signing certificate, perform= the following steps:
The latter two steps guarantee the integrity of the metadata signing cer= tificate so obtained.
You may check the integrity of the downloaded certificate in a variety o=
f ways. For example, on a GNU/Linux system, you could use curl
=
and openssl
to perform the first two steps of the bootstrap p=
rocess:
# Step = 1: Download a copy of the metadata signing certificate via a secure channel $ MD_CERT_LOCATION=3Dhttps://ds.incommon.org/certs/inc-md-cert.pem $ MD_CERT_PATH=3D/path/to/inc-md-cert.pem $ /usr/bin/curl --silent $MD_CERT_LOCATION > $MD_CERT_PATH # Step 2: Compute the SHA-1 and SHA-256 fingerprints of the metadata signin= g certificate $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha1 -noout -fingerprint SHA1 Fingerprint=3D7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E= :DD $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprin= t SHA256 Fingerprint=3D2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:= 84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B
Step 3: The final step is to compare the compu= ted fingerprints to the actual fingerprints. See Metadata signing key for the Produ= ction environment.
If the computed fingerprints match the actual fingerprints, you are done= . You may now safely use the certificate to verify the signature on the met= adata file.
Can't find what you are looking for?