We need to ensure IdP certificate rollover can occur in a manner that allows for uninterrupted SP service.
In addition to having a way to easily renew the certificate and apply new metadata in Ipsilon (without a restart ideally), we might need to focus on the SP side in mod_auth_mellon. We need to ensure that a SP can have copies of both the old and new IDP certificate, which would allow the old certificate to be used until it expires. Once the old certificate does expire, the new certificate should be honored automatically. This might already be possible via one of the following settings (though it needs to be tested):
# MellonIdPCAFile is the full path to the certificate of the # certificate authority. This can be used instead of an # certificate for the IdP. # Default: None set. MellonIdPCAFile /etc/apache2/mellon/ca.pem
This option might allow us to use a real CA certificate, so we don't have to copy every IdP certificate to the SPs. When we get a new cert for the IdP, it should just work. Of course we need to allow the Ipsilon metadata cert to be signed by the IdM CA. We have a ticket for this already (https://fedorahosted.org/ipsilon/ticket/19).
# MellonIdPMetadataGlob is a glob(3) pattern enabled alternative # to MellonIdPMetadataFile. Like MellonIdPMetadataFile it will # accept an optional validating chain if lasso is recent enough. # # Default: None set. #MellonIdPMetadataGlob /etc/apache2/mellon/*-metadata.xml
This might allow you to have multiple IdP metadata files for the same IdP (the one with the old cert, and one with the new cert). This would need to be tested to make sure it doesn't get hung up by the expired certificate.
Fields changed
milestone: => 1.3
Metadata Update from @nkinder: - Issue set to the milestone: 1.3
Log in to comment on this ticket.