You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

7. Key Rollover

To minimize interoperability issues, certificates should be long-lived and self-signed. Note that the security of the federation is based on the signing of the metadata and not on the certificate verification chain or the lifespan of the entity certificates. Signing and encryption certificates MUST NOT be expired


1. Create a new key pair that is compliant with the federation
2. Create a copy of the metadata already published in the federation and add a new KeyDescriptor element containing the public key certificate. The metadata should now contain the old and the new KeyDescriptor element. If there is a KeyDescriptor for signing and one for encrypting do this for both
3. Uploaded the metadata to the federation. Read more about how to publish metadata on the federation website
4. Wait for the new metadata to propagate.
5. Configure the software to use the new private key
6. Remove the old KeyDescriptor element from the metadata and upload it to the federation.

Example metadata with old and new certificates.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://myhost.example.com/simplesaml/saml2/idp/metadata.php" ID="pfx797787f7-e5bd-acc6-89ef-4d120e679a48">
  <ds:Signature>
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx797787f7-e5bd-acc6-89ef-4d120e679a48">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>AzMFoTwyoKc0YHcPAaYl5jPIclE=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Srzu2vX2+FC6tTNH+vImIdvfo8fXuWbcF4vkL3NdiTB/ZU3HTmjKg3KkNLKxw/DbGznNdnmi16ImWOqtETSbYDGPUwhYM13PvQ+OIfogmurj5sNE57pa3sg/MEOJB80A7axXCUKsOV4CqLTDZNh/d7imiS2G4VB7Kmo9o0y1ZQtkV6U5LWO87Mw9rIj+D16KiB2HVIqq/cxOJBa4A7BoVuqJi3Qsc7rDjZK8b6e/EhP1QKgfAPwmTIp7K88mfUlD3/fKo9EP5haLuXxjLLKySIwgqR56sLEwHttHMZMPg83zeOLgaeT8+qVA0NeplsM+2c5y2/OMk8vM9Q6ix7eOfg==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">Example organization</md:OrganizationName>
    <md:OrganizationName xml:lang="sv">Exempel organisation</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example organization</md:OrganizationDisplayName>
    <md:OrganizationDisplayName xml:lang="sv">Exempel organisation</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">www.example.com</md:OrganizationURL>
    <md:OrganizationURL xml:lang="sv">www.example.com</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="technical" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
</md:EntityDescriptor>
  • No labels