The following signing certificate (public key) is issued for the Production environment. If you are looking for the the preview environment key, see preview-metadata-signing-key.
This is not the same certificate that was used for the legacy aggregates from md.incommon.org or from the preview service. Please make sure you update your configurations accordingly. |
-----BEGIN CERTIFICATE----- MIIEvjCCAyagAwIBAgIJANpi9/mkU/zoMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRYwFAYDVQQK DA1JbnRlcm5ldDIuZWR1MREwDwYDVQQLDAhJbkNvbW1vbjEZMBcGA1UEAwwQbWRx LmluY29tbW9uLm9yZzAeFw0xODExMTMxNDI5NDNaFw0zODExMTAxNDI5NDNaMHQx CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRYw FAYDVQQKDA1JbnRlcm5ldDIuZWR1MREwDwYDVQQLDAhJbkNvbW1vbjEZMBcGA1UE AwwQbWRxLmluY29tbW9uLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC ggGBAJ0+fUTzYVSP6ZOutOEhNdp3WPCPOYqnB4sQFz7IeGbFL1o0lZjx5Izm4Yho 4wNDd0h486iSkHxNf5dDhCqgz7ZRSmbusOl98SYn70PrUQj/Nzs3w47dPg9Tpb/x y44PvNLS/rE56hPgCz/fbHoTTiJt5eosysa1ZebQ3LEyW3jGm+LGtLbdIfkynKVQ vpp1FVeCamzdeB3ZRICAvqTYQKE1JQDGlWrEsSW0VVEGNjfbzMzr/g4l8JRdMabQ Jig8tj3UIXnu7A2CKSMJSy3WZ3HX+85oHEbL+EV4PtpQz765c69tUIdNTJax9jQ2 1c3wL0K27HE8jSRlrXImD50R3dXQBKH+iiynBWxRPdyMBa1YfK+zZEWPbLHshSTc 9hkylQv3awmPR/+Plz5AtTpe5yss/Ifyp01wz1jt42R+6jDE+WbUjp5XDBCAjGEE 0FPaYtxjZLkmNl367bdTN12OIn/ixPNH+Z/S/4skdBB9Gc4lb2fEBywJQY0OYNOd WOxmPwIDAQABo1MwUTAdBgNVHQ4EFgQUMHZuwMaYSJM5mlu3Wc4Ts5xq4/swHwYD VR0jBBgwFoAUMHZuwMaYSJM5mlu3Wc4Ts5xq4/swDwYDVR0TAQH/BAUwAwEB/zAN BgkqhkiG9w0BAQsFAAOCAYEAMr4wfLrSoPTzfpXtvL+2vrKBJNnRfuJpOYTbPKUc DOP2QfzRlczi7suYJvd5rLiRonq8rjyPUyM8gvTfbTps+JhJ6S9mS6dTBxOV1qPZ 3Ab+XKmq8LUtguGRabKgJgmJH0+inR/wVoal7EVHcWXfij9AT8DZOXW88shc6grh jUaFZBu/2+q8c8ee0e4ip8B+CVEnCwDKI0d+nTcSmPvAE34CNa33F+QGpXawv5yv VvIpSaLAeFQhc/jKcnNHfy+Zi7JmSnKZiMvQCbWANQmDjHg7pGmBW9nyQcm6P2/B 0AVcEj1YTpAR8Mbh1pUdIhoB+chaNnFEIZsXeRsdbbAFpxodInlJ7WekfuvSQ6sU EXpoyBGOeuuTmR1va8k3QeL8Wc4yNu/g5LwjmtvPrh2jBF8xujc4J6VzP8K2BjA4 xk4LnXgjHOT93dBAJhVYJkykDHwyvHUvsBHoP6lfjrt5P8zunK2mdP/AZKik+Rdt 1GGlErV2AyWShTOaDLW6NxdP -----END CERTIFICATE----- |
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl
and openssl
to perform the first two steps of the bootstrap process:
# Step 1: Grab a copy of the certificate # Step 2: Compute various fingerprints of the metadata signing certificate $ openssl x509 -sha1 -noout -fingerprint -in inc-md-cert-mdq.pem SHA1 Fingerprint=F8:4E:F8:47:EF:BB:EE:47:86:32:DB:94:17:8A:31:A6:94:73:19:36 $ openssl x509 -sha256 -noout -fingerprint -in inc-md-cert-mdq.pem SHA256 Fingerprint=60:49:74:D6:1F:E0:D7:F4:D6:3D:6C:8D:B9:8A:85:7E:64:2A:B9:B4:70:E3:E8:5D:D5:4D:66:3D:04:96:F9:00 $ openssl x509 -sha384 -noout -fingerprint -in inc-md-cert-mdq.pem SHA384 Fingerprint=36:5E:2F:4D:BA:6B:71:3C:53:89:91:83:59:CB:82:E6:83:15:69:14:12:D1:3E:03:2E:61:96:63:A8:D5:0D:8A:80:8B:C1:37:E2:09:A7:E1:F0:CC:C0:D7:8B:53:7A:5A $ openssl x509 -sha512 -noout -fingerprint -in inc-md-cert-mdq.pem SHA512 Fingerprint=B8:F1:0E:E6:B5:47:DC:D3:15:69:2C:1F:D8:E0:70:3D:1D:CC:E6:12:77:84:80:63:8B:8F:DB:FC:30:97:30:2C:7C:17:C0:CF:C7:90:51:B2:5D:BB:3A:50:8F:9A:EF:6B:0B:21:8B:A2:4D:B3:DF:0A:00:6B:E6:CD:13:EE:E6:3F # Step 3: Compare against fingerprints at the top of the page. |
You can also check downloaded metadata against the signing cert for validity. You will need to first download xmlsectool here: http://shibboleth.net/downloads/tools/xmlsectool/
# Step 1: Download some metadata from MDQ $ curl -s -o internet2-idp-metadata.xml http://mdq.incommon.org/entities/urn:mace:incommon:internet2.edu # Step 2: Compare the metadata against the singing cert using xmlsectool $ xmlsectool.sh --verifySignature --certificate inc-md-cert-mdq.pem --inFile internet2-idp-metadata.xml <Output goes here> ### If the cert is invalid, you will see output different from above, example: # INFO XMLSecTool - Reading XML document from file 'metadata.xml' # INFO XMLSecTool - XML document parsed and is well-formed. # ERROR XMLSecTool - XML document signature verification failed with an error # org.apache.xml.security.signature.XMLSignatureException: Signature length not correct: got 256 but was expecting 384 |
More information on xmlsectool is available here: https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home