Child pages
  • Metadata Signing Certificate

The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Assuming you trust the metadata registration practices of the InCommon Federation, you will want to verify the XML signature on each and every metadata aggregate you consume. Failure to do so will seriously compromise your metadata refresh process.

To verify the XML signature on a SAML metadata aggregate, you need an authentic copy of the metadata signing certificate, that is, the certificate that contains the public key corresponding to the private InCommon metadata signing key. The certificate must be obtained securely since all subsequent operations depend on it.

Check the integrity of the metadata signing certificate!

To bootstrap your trusted metadata process, you MUST check the integrity of the metadata signing certificate configured into that process. It is not sufficient to request the certificate via a TLS-protected HTTP connection, which is why the sample procedure shown below does not rely on TLS.

You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl and openssl to check the integrity of the metadata signing certificate as follows:

# get the metadata signing certificate on
# and display the HTTP response header
$ CERT_PATH=/path/to/inc-md-cert.pem
$ /usr/bin/curl --silent --dump-header /dev/tty > $CERT_PATH
HTTP/1.1 200 OK
Date: Thu, 19 Dec 2013 14:01:00 GMT
Server: Apache
Last-Modified: Wed, 18 Dec 2013 21:08:31 GMT
ETag: "150037-4fd-4edd5727611c0"
Accept-Ranges: bytes
Content-Length: 1277
Connection: close
Content-Type: text/plain; charset=UTF-8

# compute the SHA-1 and SHA-256 fingerprints of the metadata signing certificate
$ /bin/cat $CERT_PATH | /usr/bin/openssl x509 -sha1 -noout -fingerprint
SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
$ /bin/cat $CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprint
SHA256 Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B

Once the certificate file is locally installed, you can use it to verify the signature on the metadata file.

  • No labels