Using A Commercial Certificate Signed by an Intermediate CA Authority in Shibboleth
- First, in your idp.xml or shibboleth.xml you need to configure Shibboleth to send not just your certificate but also your intermediate CA certificate. For example, below is what you would specify under the sections where you specify your key and cert, if you have a certificate that was signed by an intermediate CA, Comodo Security Services CA, which in turn is signed by the root CA, GTE CyberTrust? Global Root CA. The root CA is in the Federation metadata.
<Key format="PEM">
<Path>file:///etc/apache/ssl.key/mykey.pem</Path>
</Key>
<Certificate format="PEM">
<Path>file:///etc/apache/ssl.crt/mycert.pem</Path>
<CAPath>file:///etc/apache/ssl.crt/ComodoSecurityServicesCA.crt</CAPath>
<CAPath>file:///etc/apache/ssl.crt/GTECyberTrustGlobalRoot.crt</CAPath>
</Certificate>
- Second, you need to configure your Apache or Apache 2 SSL to also present the intermediate CA certificate to the clients connecting to it. This is achieved using the SSLCertificateChainFile directive. For eg. you would concatenate both the Comodo and GTECyberTrust? certificates above into a single file (in that order) called ca-chain.pem, and then add in your SSL configuration this line (below where you specify your server's certificate and key)
SSLCertificateChainFile /etc/apache/ssl.crt/ca-chain.pem
--
ChiNguyen - 03 Aug 2006
to top