Date: Thu, 28 Mar 2024 20:11:50 +0000 (UTC) Message-ID: <130297736.6923.1711656710402@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6922_1407048240.1711656710400" ------=_Part_6922_1407048240.1711656710400 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The InCommon metadata signing certificate is a long-lived, self= -signed certificate containing the public key corresponding to the private = metadata signing key. Important details about the metadata signing certific= ate are shown on this authoritative web page:
Note in particular the certificate fingerprints listed at the top of tha= t page. InCommon Operations certifies that these are the actual fingerp= rints of the metadata signing certificate. Accept no substitute!
To ensure the security of your metadata refresh process, you must verify= the XML signature on each and every metadata aggregate you consume. To do = that, you need an authentic copy of the metadata signing certificate. The certificate must be obtained securely since all subsequent operatio= ns depend on it.
To obtain an authentic copy of the metadata signing certificate, perform= the following steps:
The latter two steps guarantee the integrity of the metadata signing cer= tificate so obtained.
Check the integrity of the metadata si= gning certificate!
To bootstrap your trusted metadata process, you MUST check the integrity=
of the metadata signing certificate configured into that process. It is not sufficient to fetch the certificate via a TLS-protected =
HTTPS connection.
You may check the integrity of the downloaded certificate in a variety o=
f ways. For example, on a GNU/Linux system, you could use curl
=
and openssl
to perform the first two steps of the bootstrap p=
rocess:
# Step = 1: Download a copy of the metadata signing certificate via a secure channel $ MD_CERT_LOCATION=3Dhttps://ds.incommon.org/certs/inc-md-cert.pem $ MD_CERT_PATH=3D/path/to/inc-md-cert.pem $ /usr/bin/curl --silent $MD_CERT_LOCATION > $MD_CERT_PATH # Step 2: Compute the SHA-1 and SHA-256 fingerprints of the metadata signin= g certificate $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha1 -noout -fingerprint SHA1 Fingerprint=3D7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E= :DD $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprin= t SHA256 Fingerprint=3D2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:= 84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B
The Shibboleth SP on Windows ships with its own curl
and
Step 3: The final step is to compare the compu= ted fingerprints to the actual fingerprints. The latter are shown on t= his authoritative web page:
If the computed fingerprints match the actual fingerprints, you are done= . You may now safely use the certificate to verify the signature on the met= adata file.