Creating Certificates
A SAML service provider makes use of two different certificates.
One to protect the service provider and one to
protect a public-facing web application.
Service Provider
Your service provider uses a certificate to establish a trust
relationship with an IdP and to protect attributes in transit. You
must make use of a self-signed certificate for this purpose; do not
use a commercially provided certificate.
Generating a self-signed certificate for your service provider
OpenSSL lets you generate both a private key and a self-signed
certificate in a single step, which is shown below. Note that this
certificate is valid for three years. Also note the correct values of the
subject — make sure that the Common Name matches the canonical name
the server hosting your service provider.
$ openssl req -x509 -nodes -sha256 \
-days 1095 -newkey rsa:2048 -keyout /etc/shibboleth/changeme.key \
-out /etc/shibboleth/changeme.crt
Generating a 2048 bit RSA private key
.........................+++
.......................................................................
...........................................................................+++
writing new private key to '/etc/shibboleth/changeme.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:Eastern Cape
Locality Name (eg, city) []:Grahamstown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Rhodes University
Organizational Unit Name (eg, section) []:Your Dept/Division Name
Common Name (eg, YOUR name) []:CHANGEME.ru.ac.za
Email Address []:your.email.address@ru.ac.za
$ chmod 400 /etc/shibboleth/changeme.key /etc/shibboleth/changeme.crt
The public key from this certificate forms part of the metadata for your service provider.
Web Application
If you need an SSL certificate for web application running on a
Rhodes (.ru.ac.za) website, you can ask the I&TS Division to
request one for you (I&TS manage the relationship with the
University's certificate providers). Note that SSL certificates
may incur annual costs.
To request a certificate, you need a certificate signing request.
Generating a certificate signing request
First generate an unprotected RSA private key. Make sure that this
private key is different to the one above. (If you wish to password protect
your private key, add -des3 to the command line below.)
$ openssl genrsa -out /etc/ssl/private/changeme.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
.........................+++
e is 65537 (0x10001)
Now generate a certificate signing request, ready to foward to the
I&TS Division. Ensure that the subject details are correct — the
organisational details must exactly match those the certificate provider has
on record (the correct ones are shown), and the Common Name must be the
fully-qualified name of your web server.
$ openssl req -sha256 -new \
-key /etc/ssl/private/changeme.key \
-out /etc/ssl/private/changeme.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:Eastern Cape
Locality Name (eg, city) []:Grahamstown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Rhodes University
Organizational Unit Name (eg, section) []:Your Dept/Division Name
Common Name (eg, YOUR name) []:CHANGEME.ru.ac.za
Email Address []:your.email.address@ru.ac.za
$ chmod 400 /etc/ssl/private/changeme.key /etc/ssl/private/changeme.csr