...
The InCommon metadata signing certificate is a long-lived, self-signed certificate containing the public key corresponding to the private metadata signing key. Important details about the metadata signing certificate are shown on this official authoritative web page:
...
The latter two steps guarantee the integrity of the metadata signing certificate so obtained.
Warning | ||
---|---|---|
| ||
To bootstrap your trusted metadata process, you MUST check the integrity of the metadata signing certificate configured into that process. It is not sufficient to fetch the certificate via a TLS-protected HTTPS connection. |
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl
and openssl
to check perform the integrity first two steps of the metadata signing certificate as followsbootstrap process:
Code Block | ||
---|---|---|
| ||
# Step 1: Download a copy of the metadata signing certificate via a secure channel $ MD_CERT_LOCATION=https://ds.incommon.org/certs/inc-md-cert.pem $ MD_CERT_PATH=/path/to/inc-md-cert.pem $ /usr/bin/curl --silent $MD_CERT_LOCATION > $MD_CERT_PATH # Step 2: Compute the SHA-1 and SHA-256 fingerprints of the metadata signing certificate $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha1 -noout -fingerprint SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprint SHA256 Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B |
Tip | ||
---|---|---|
| ||
The Shibboleth SP on Windows ships with its own |
Step 3: The final step is to compare the computed fingerprints to the actual fingerprints. The latter are shown on this official authoritative web page:
...