Obtaining a digital Certificate
Shibboleth uses SSL certificates for encryption, authentication (between SP &) and digital signing of assertions. Service Provider uses SSL certificates for these purposes:
SSL Server Keypair for Browser-Facing Services
This use of SSL is a browser-facing keypair, and you are free to use any keypair you wish. Often a commercial certificate is used to prevent browser warnings. Configuration of this keypair depends on your web server and you should use its documentation to help you.
SSL Client Keypair for SAML Services
SP sends SOAP requests to IdP to query attributes. Shibboleth uses SSL to authenticate both ends. SP needs a keypair trusted by the
It could be the same as the SSL keypair described next.
In current versions, SSL client keypairs are configured in Shibboleth.xml in the <Credentials> element. Each potential keypair is assigned an Id. The element points at the default TLS keypair to use and might contain elements that override the keypair to use for particular.
XML Signing Keypair for SAML Requests
SP has the ability to digitally sign a SAML request it sends to the. To support this, a keypair trusted by would be used. It could be and usually is the same as the TLS/SSL client keypair described earlier. It is configured in a similar manner in Shibboleth.xml
This feature is not used very often because SSL can be much faster than signing due to the session caching provided by most SSL libraries. It's also not fully supported yet by thefor all the possible uses of client signing.
You may use the same SSL keypair for all of the needs above
Certificates for testing
You may use the free certificates issued by Testshib. For details see TestshibFederation.
Certificates for production
You may use a commercial certificate issued from vendors like Verisign, Thawte or other well known providers. You may use these certificates for browser-facing services as well as SAML services.
Once you are ready to move into production you can follow this guide.
Please note we are not accepting Self-signed certificates, Wild-card certificates and UCCs at this point