OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Same certificate for https and SAML signing


Use a different one. Also, use different key-pairs for signing vs. encryption.

 

From my experience, it’s simpler to just use a long-lived (10-year or more expiry), self-signed cert that is pre-shared with your SAML partners, rather than relying on CA-signed certs. There’s some background on that in this article: https://spaces.internet2.edu/display/InCFederation/X.509+Certificates+in+Metadata#X.509CertificatesinMetadata-Background

Although note that is an implementation-specific site so it may just be one interpretation of the spec, but it certainly rings true to me.

 

Thanks

michael lucas  

 

From: Vasu Y [mailto:vyal2k@yahoo.com]
Sent: Monday, March 10, 2014 11:27 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Same certificate for https and SAML signing

 

Hi,

 We already have an (SSL) certificate to make our app available on https. Any thoughts (best practice) on using the same key-pair for SAML signing and encryption purpose or go with a new one?

 

Thanks,

Vasu



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]