...
The InCommon Federation is based on the Explicit Key Trust Model, one of several possible metadata trust models. To bootstrap the trust fabric of the Federation, participants are required to download and configure the metadata verification certificate into their metadata refresh process:https
- http://
...
- md.
...
- incommon.org/
...
- certs/
...
- inc-md-cert.pem
The certificate must be obtained securely since all subsequent operations depend on it. You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl and openssl to check the integrity of the certificate as follows:
| Code Block | ||
|---|---|---|
| ||
# get the metadata signing certificate on wayfmd.incommonfederationincommon.org via HTTPS # and display the HTTP response header $ CERT_PATH=/path/to/inc-md-cert.pem $ /usr/bin/curl --silent --dump-header /dev/tty httpshttp://wayfmd.incommonfederationincommon.org/bridge/certs/inc-md-cert.pem > $CERT_PATH HTTP/1.1 200 OK Date: TueThu, 1719 Dec 2013 2214:3101:1100 GMT Server: Apache Last-Modified: MonWed, 1618 Dec 2013 21:1508:4431 GMT ETag: "6077f150037-4fd-4edad509660004edd5727611c0" Accept-Ranges: bytes Content-Length: 1277 Connection: close Content-Type: text/plain; charset=UTF-8 # compute the SHA-1 and SHA-256 fingerprints of the metadata signing certificate $ /usr/bin/openssl x509 -sha1 -in $CERT_PATH -noout -fingerprint SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD $ /usr/bin/openssl x509 -sha256 -in $CERT_PATH -noout -fingerprint SHA256 Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B |
...