Re: Self Signed Certs

[Olivier Salaün <olivier.salaun@xxxxxx>]

Hi John,

While moving from our previous federation (CRU Federation) to the new The Fédération Education-Recherche <https://federation.renater.fr>, we decided to stop maintaining a list of trusted CAs and accept any SP/IdP certificates including self-signed ones. At the same time we have generalized attribute push within the federation to get rid of the Attribute Authority and its X.509 authentication.

Our experience is truly positive :

• IdPs now use the default Shibboleth configuration with the generated certificate. This certificate has a longer validity period, thus providing less work for IdP administrators ;
• SPs can use the same certificate they're using with other federations/IdPs. They don't need to check our list of supported CAs. We neither need to collect their list of intermediate CAs (very timing consuming). They don't need to buy a new certificate ;
• No more issues with mod_ssl configuration on the SPs side, because IdPs push attributes through the web browser ;
• The attribute push also makes the federated architecture much simpler and therefore eaiser to explain and to debug.
  

John Krienke a écrit :

Hello fellow federation operators,

InCommon is getting ready to support self-signed certificates in a few short weeks to help with, among other things, inter-federation. We're curious to know if other federations are supporting self-signed certificates already and if so, what you might have found along the way from a technical or communication/education perspective regarding both universities and commercial participants.

john.