Skip to topic | Skip to bottom
Home
Federation
Hello TWikiGuest

Create personal sidebar
Federation.HowToKnowCertPurposer1.1 - 03 Dec 2007 - 01:50 - BrucLiongtopic end
Start of topic | Skip to actions

Using certificate for back-channel

The federation uses back-channel certificates to allow SP query IdP for attributes (SAML artifact profile). For this purpose, the certificate has to be trusted. For level-1, you don't need to worry about this, as the certificate for your machine both for front and back channel is signed by our Federation CA. However, for level-2 and above, you need to ensure that the certificate is trusted by federation members.

If you have commercial certificate for your front-channel (https), then you may be able to use the same certificate, but you need to check if your certificate fits the purpose for which it is going to be used.

For all front channel certificates, they all have to have "server ssl" purpose. For SP back-channel certificate (this is defined in your shibboleth.xml), it has to have "client ssl" purpose For IdP back-channel certificate, it has to have "server ssl" purpose.

To find out if your cert satisfies a particular purpose, such as "client ssl", you can issue the following command: 

openssl verify -purpose sslclient mycert.pem

The output should say whether your certificate satisfies the intended purpose.

Usage of certificates for their non-intended purposes will fail and will be rejected automatically, therefore it is important to check if you use your certificate correctly.
to top

End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.1 | Total page history | Backlinks
You are here: Federation > FrequentlyAskedQuestions > HowToKnowCertPurpose

to top

Copyright © 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback