...
| Tip | ||
|---|---|---|
| ||
Read Before generating a new private signing key for your IdP, read the IdP Key Handling topic (or the SP Key Handling topic) before generating a new private key. |
A private key used for message-level signing and encryption is necessarily an online key, that is, it must be available to the SAML software at runtime. An online key may be encrypted, but the password or passphrase used to decrypt the key generally has to be available in an unencrypted file so that the SAML software can be restarted in unattended fashion. Therefore an online key is considerably more vulnerable than an offline key, and must be protected accordingly. In particular, a private key stored in the file system as an ordinary file should have strict permissions to prevent unauthorized copying.
Develop a strategy for securing a private key before you generate it. For instance, the following strategy is highly recommended:
...
When you issue the above OpenSSL command, you will be prompted to enter a pass phrase for the purpose of decrypting an encrypted private key. If you're generating the private key directly on the target system, it is not necessary to encrypt the private key since it is assumed your host system is secure(as discussed above). Simply press return when prompted to enter a pass phrase or use the -nodes option in the command above to issue an unencrypted private key straightaway.
...