X.509 Certificates in the InCommon Federation

The use of self-signed certificates in Federation metadata is strongly RECOMMENDED. Certificates signed by a Certificate Authority (CA) are allowed, and in most situations will work just fine, but the use of such certificates is discouraged. See the Interoperability notes and the Backgrounder information below for further discussion.

Requirements

InCommon sets the following security and trust parameters around certificates that are included in Federation metadata:

1. RSA keys with a minimum size of 2048 bits must be used for all new certificates introduced into Federation metadata.
2. No certificates with keys less than 2048 bits will be allowed in Federation metadata after December 2012.
   • All participants must migrate old 1024-bit keys out of metadata and upgrade to 2048-bit keys by December 2012.
3. We recommend that participants submit a new certificate with a new 2048-bit key every 3 years.
4. Expired certificates will not be accepted into Federation metadata.
5. Certificates in metadata that expire may be retained in the metadata at the discretion of the participant.
6. InCommon does not validate Subject information in self-signed certificates because this information is irrelevant to the federated security context. However, at its own discretion, InCommon will reject metadata submissions if that submission contains a certificate with fields that contain egregiously misrepresentated Subject information as decided by InCommon on a case by case basis. Generally, your subject information should express a somewhat reasonable relationship between the certificate and your organization.

Interoperability

To increase the chances of your deployment interoperating:

• If the certificate will be used for TLS/SSL server authentication (e.g., an IdP's SOAP endpoint), make sure your certificate's CN (or subjectAltName) value matches the intended hostname. This will maximize the chances that your implementation will work. This TLS/SSL configuration is left to your discretion and responsibility. InCommon highlights this point as one that may likely cause problems if not met.
  • Note: Any <md:KeyDescriptor> element in metadata that has either a use="signing" attribute or no use attribute whatsoever is understood to be used for TLS/SSL.
• Shibboleth does not check expiration dates of certificates, but this practice often causes interoperability issues with other software, and with some older (generally now unsupported) versions of Apache used in the deployment of the Shibboleth IdP.
• If necessary, you may continue using an expired certificate. Shibboleth, when used with metadata of the form used by InCommon, does not enforce the expiration dates of certificates. However, other software often will check expiration dates; therefore, we recommend planning ahead and migrating to a self-signed certificate well ahead of your certificate's expiration date.
• For key management purposes, InCommon allows multiple certificates per endpoint at any time. You can log in to the site administration tool, select a particular endpoint, and choose one or more certificates you want to associate with that endpoint. This is helpful for migrating from one certificate to another during a finite period of time.
• Bear in mind that some SAML implementations do not support multiple keys properly and you may want to test this with your non-Shibboleth partners. For example, EZProxy supports metadata, but is known to ignore additional keys beyond the first.
• For those using the Shibboleth SP, the self-signed certificate generated during installation of the software (or subsequently using the keygen shell/batch script) is generally suitable for use within the federation.

Backgrounder: Security and Certificate Authorities

In the base SAML metadata specification \[1\], a certificate signing authority (CA) has no assumed relevance to the trust model that secures the interactions among a federation's participants. Certificates signed by a CA are discouraged since they can create interoperability issues in certain cases and lead to configurations that mistakenly rely on the certificate signer to establish trust. Allowing self-signed certificates simplifies the work of participants who may be required to join multiple federations, or who support local systems that are not enrolled in the Federation.

Participant site administrators securely transmit X.509 certificates and metadata to InCommon. InCommon signs the entire metadata file, securing the keys of its participants whether they are represented in the context of self-signed certificates or certificates signed by an authority. The critical element in the certificate is the public key, which is associated with the participant's "entityID." The other elements in the certificate are irrelevant for security and trust processing. Theoretically, if all the relevant software systems could accept a public key without a certificate wrapper, InCommon would only need to include the public key of each end point. As it is, the certificate is a practical shell for the public key, the critical element being that the key is bound to a particular entity in the metadata.

Where Do I Get My Certificate?

For those using the Shibboleth SP, the self-signed certificate generated during installation of the software (or subsequently using the keygen shell/batch script) is generally suitable for use within the federation.

The self-signed certificate generated during the installation of the Shibboleth IdP MAY be suitable, but this depends on your need for a TLS/SSL certificate and whether the hostname it deduces matches the one you expect to publish in your metadata. This will often not be the case, so use caution.

If you need to generate your own, an example of doing so using OpenSSL follows:

openssl req -new -x509 -days 1095 -keyout key.pem -out cert.pem -newkey rsa:2048 -subj "/CN=hostname.example.org"

References

\[1\] _Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0_ [http://saml.xml.org/saml-specifications]
\[2\] _SAML V2.0 Metadata Interoperability Profile_ [http://wiki.oasis-open.org/security/SAML2MetadataIOP]
\[3\] [X.509 Certificates in the Federation Metadata|http://internet2.na6.acrobat.com/p46467886/]: A technical webinar presented by the _InCommon Technical Advisory Committee_ (October 22, 2009)