The information on this page is for the Preview environment of the MDQ Service. For production metadata signing key, see production metadata signing key. |
The following signing certificate (public key) is issued for the Preview environment. If you are looking for the production key, see
SHA512 Fingerprint=63:DC:31:7A:FE:C0:ED:95:EF:82:B3:49:D0:AC:8E:50:62:27:47:2F:D7:DE:34:46:0B:DA:88:1E:F8:B3:DA:21:AE:04:78:22:E6:49:D8:39:CD:C9:35:FD:E3:69:15:8D:86:3D:8B:16:14:E7:C6:FA:F0:D5:F8:DB:4D:42:85:46
SHA384 Fingerprint=39:8F:D8:9D:AB:1F:43:AA:23:DE:C7:76:59:EB:60:C9:FE:21:61:95:F4:14:FC:DD:B8:CE:25:A1:44:B1:0C:D5:F7:7B:B4:0F:B3:CD:BB:AC:1A:CF:83:A7:56:25:3C:A5
SHA256 Fingerprint=F6:F4:22:4C:25:E3:E6:4E:E7:9E:95:00:2E:BF:02:07:6A:00:53:C1:13:75:D0:9E:DD:1F:51:77:E4:0F:94:42
SHA1 Fingerprint=CF:A8:7A:57:00:6E:05:09:CD:63:A1:49:1B:4B:F8:46:98:DD:3A:38
Fingerprints will also be posted on ops.incommon.org like the legacy signing certificate at a later date.
---TBD---
-----BEGIN CERTIFICATE----- MIIEXjCCAsYCCQDpxz3q+NIrLTANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJV UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE CgwJSW50ZXJuZXQyMREwDwYDVQQLDAhJbkNvbW1vbjEUMBIGA1UEAwwLTURRIFBy ZXZpZXcwHhcNMTkwMjA2MTgwMjQ0WhcNMzkwMjAzMTgwMjQ0WjBxMQswCQYDVQQG EwJVUzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAG A1UECgwJSW50ZXJuZXQyMREwDwYDVQQLDAhJbkNvbW1vbjEUMBIGA1UEAwwLTURR IFByZXZpZXcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCRtPhg50rb XRrXL7xEa57438Ys7+cXTgGLBQNAXh/kVijSiVqBtwZTDHExWWDqUU8UMXs/BM84 1rQ0yKoWkRAu4grU52mNP0jBHCPX59N2r1VUmX1k0uQ3zPJ962l7MmEosMFmszLv I6aDtyh20wo6jLjUsssHEG8IYodurm9ry0SD+Mnv2fNxijibDyE+ZRvIHvXO92Hd xfZehfWQ8wIdO2z44/hgyya+tVYSLhCxWwRiicPapBOLOU5UsCGLvs6md3GKA+uH qZBq+EIHjeFdgbFjQevOgiZRfoexOe4iXSEvnb6jB6u1rz6/7GcyXJAc4WD9WP2V M7Re5GCXSr6uCNWCgdi7yxIFG7PiEEHXiU5C+2/5nl5wf7+dFAgn68P+O/Z26k/a sZTkYvjMqYgeXm2b+INB6EstNjXKqIJkMoy72yaN/1yjEYnOhzv8/qYu5pLMdLgc muUrvisxt+OlKNk7D3qARxzvYtw7oyczasfgMF426oFxnQiNV/2g4mUCAwEAATAN BgkqhkiG9w0BAQsFAAOCAYEAXHaMqV8HV3sQBWZgzI8yDz7HQjHtXYdJpcALsQlm Rxh9ND1Cz4DxS6wMFyccUbOUizPs3JrECL/APc71+gg4FnJLPboyGn2zINxcnOce WnXL8QMIyhdT9jdJ909WespVaCsBq75YZ1Yja6dOUZnciBfwag42gMgUTMPyEeuk CO00B7BBnc8hrfp5+l+wi9OhtWoNCjXtPuaeLBe10PuTuWMQxhKzW8MCbrKpoWVR V5jhIghLCdJDB1/3UR52C6IEnFMwO6q91n5q2F9Lja2k4BGed9d1/6qVjSxqHm0c Q0xkeg4FGsKuex7tc2Ulk2qzTYDSSNVEcbGjzUT27ZBOuBH5txJBKQhfcP15I7Wd giPjpnVAhUkWVuAGneaBKYBF5NOBXLD3QZXWa2g/sBtJMHkI+uWD3y7qbGPW1qAc U/t5KtGKTUSTnf5FaTvyLqZCGfv4ZhIx+3sXLcnWy1YPlE1fiYUZ7mKOCInCrRuV 4eMqDtiFDJzvbmmPZVv1/GcT -----END CERTIFICATE----- |
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl
and openssl
to perform the first two steps of the bootstrap process:
# Step 1: Grab a copy of the certificate # Step 2: Compute various fingerprints of the metadata signing certificate $ openssl x509 -sha1 -noout -fingerprint -in incommon-mdq.pem SHA1 Fingerprint=CF:A8:7A:57:00:6E:05:09:CD:63:A1:49:1B:4B:F8:46:98:DD:3A:38 $ openssl x509 -sha256 -noout -fingerprint -in incommon-mdq.pem SHA256 Fingerprint=F6:F4:22:4C:25:E3:E6:4E:E7:9E:95:00:2E:BF:02:07:6A:00:53:C1:13:75:D0:9E:DD:1F:51:77:E4:0F:94:42 $ openssl x509 -sha384 -noout -fingerprint -in incommon-mdq.pem SHA384 Fingerprint=39:8F:D8:9D:AB:1F:43:AA:23:DE:C7:76:59:EB:60:C9:FE:21:61:95:F4:14:FC:DD:B8:CE:25:A1:44:B1:0C:D5:F7:7B:B4:0F:B3:CD:BB:AC:1A:CF:83:A7:56:25:3C:A5 $ openssl x509 -sha512 -noout -fingerprint -in incommon-mdq.pem SHA512 Fingerprint=63:DC:31:7A:FE:C0:ED:95:EF:82:B3:49:D0:AC:8E:50:62:27:47:2F:D7:DE:34:46:0B:DA:88:1E:F8:B3:DA:21:AE:04:78:22:E6:49:D8:39:CD:C9:35:FD:E3:69:15:8D:86:3D:8B:16:14:E7:C6:FA:F0:D5:F8:DB:4D:42:85:46 # Step 3: Compare against fingerprints at the top of the page. |
You can also check downloaded metadata against the signing cert for validity. You will need to first download xmlsectool here: http://shibboleth.net/downloads/tools/xmlsectool/
# Step 1: Download some metadata from MDQ $ curl -s -o internet2-idp-metadata.xml http://mdq-preview.incommon.org/entities/urn:mace:incommon:internet2.edu # Step 2: Compare the metadata against the singing cert using xmlsectool $ xmlsectool.sh --verifySignature --certificate incommon-mdq.pem --inFile internet2-idp-metadata.xml <Output goes here> ### If the cert is invalid, you will see output different from above, example: # INFO XMLSecTool - Reading XML document from file 'metadata.xml' # INFO XMLSecTool - XML document parsed and is well-formed. # ERROR XMLSecTool - XML document signature verification failed with an error # org.apache.xml.security.signature.XMLSignatureException: Signature length not correct: got 256 but was expecting 384 |
More information on xmlsectool is available here: https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home