Unable to do a key rollover

By: Tomas Liljebergh user 28 Apr 2021 at 1:57 a.m. CDT

3 Responses
Tomas Liljebergh gravatar
As Gluu generated certificates with only 1 year lifetime at installation we are now trying to rollover the certificates but cant get it to work. For this we have generated new selfsigned cert's with a lifetime of 10 years. Certificates are placed in /etc/certs After restarts nothing changes, Gluu are still releasing only the old certs If we exchange the certfiles under /etc/certs we can get Gluu to use only the new certs but during a rollover its necessairy to have both the new and old keys in the metadata. Files we have altered is idp.properties and credentials.xml. Are we missing something? Cuts from config-files are below: *idp.properties* #### Settings for public/private signing and encryption key(s) #### During decryption key rollover, point the ".2" properties at a second ##### keypair, uncomment in credentials.xml, then publish it in your metadata. idp.signing.key = /etc/certs/idp-signing.key idp.signing.cert = /etc/certs/idp-signing.crt idp.encryption.key = /etc/certs/idp-encryption.key idp.encryption.cert = /etc/certs/idp-encryption.crt idp.signing.key.2 = /etc/certs/idp-signing2.key idp.signing.cert.2 = /etc/certs/idp-signing2.crt idp.encryption.key.2 = /etc/certs/idp-encryption2.key idp.encryption.cert.2 = /etc/certs/idp-encryption2.crt *credentials.xml* <util:list id="shibboleth.SigningCredentials"> <ref bean="shibboleth.DefaultSigningCredential" /> <ref bean="shibboleth.DefaultSigningCredential2" /> </util:list> <bean id="shibboleth.DefaultSigningCredential" class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.signing.key}" p:certificateResource="%{idp.signing.cert}" p:entityId-ref="entityID" /> <bean id="shibboleth.DefaultSigningCredential2" class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.signing.key.2}" p:certificateResource="%{idp.signing.cert.2}" p:entityId-ref="entityID" /> <alias alias="shibboleth.DefaultClientTLSCredential" name="shibboleth.DefaultSigningCredential" /> <alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" /> <util:list id="shibboleth.DefaultEncryptionCredentials"> <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.encryption.key}" p:certificateResource="%{idp.encryption.cert}" p:entityId-ref="entityID" /> <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.encryption.key.2}" p:certificateResource="%{idp.encryption.cert.2}" p:entityId-ref="entityID" /> </util:list> </beans>
Gluu 4.2.3 Ubuntu 20.04
closed

Answers

By Mobarak Hosen Shakil staff 29 Apr 2021 at 11:26 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi Tomas Liljebergh, Please read this documentation: https://gluu.org/docs/gluu-server/4.2/admin-guide/certificate/ . This may help you to update gluu server certificates. Thanks & Regards ~ Shakil

By Tomas Liljebergh user 30 Apr 2021 at 8:17 a.m. CDT

Copy
Tomas Liljebergh gravatar
Thanks, been reading that page several times and it did help us find where the keys are so we can swap them. But our problem it that we want to do a seamless rollover and for that we need to publish both old and new keys in our saml-xmls file. The shibboleth specifications would allow us to do that but we cant find anyway to do it in Gluu. If we dont do it seamless we would have to sync the key rollover with all the SPs that use our IDP and that would not make things easy! So, any ideas on how to get both keys in the XML-file and make sure Gluu understand both of them? Regards Tomas

By Tomas Liljebergh user 15 Jun 2021 at 1:57 a.m. CDT

Copy
Tomas Liljebergh gravatar
In the end we manage to do this. So closing the ticket!

Post an answer