Anonymous_User Absent Member.
Absent Member.
166 views

Re: Best Practice for IdS generated certificates


I'm resurrecting this question. I'm setting up a new AM environment
(4.0) and the test-connector certificate is replaced with a certificate
signed by an external CA but what about the other auto generated
certificates? Like test-signing, test-provider, test-consumer and
test-encryption. Should these be replaced?

Thanks


--
dei3400
------------------------------------------------------------------------
dei3400's Profile: https://forums.netiq.com/member.php?userid=4671
View this thread: https://forums.netiq.com/showthread.php?t=17885

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Best Practice for IdS generated certificates

dei3400 wrote:

>
> I'm resurrecting this question. I'm setting up a new AM environment
> (4.0) and the test-connector certificate is replaced with a
> certificate signed by an external CA but what about the other auto
> generated certificates? Like test-signing, test-provider,
> test-consumer and test-encryption. Should these be replaced?
>
> Thanks


I don't tend to replace the auto generated ones. We just add new certs
and use those instead for the various components. That way you can give
them more meaningful names.

For example, the test-signing and test encryption certs are used to
sign SAML assertion. If you just create a cert called
signingCertVerisign-exp0514 and add that to the signing keystore you
know its used for singing and will expire may 2014.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Best Practice for IdS generated certificates


edmaa;240131 Wrote:
> dei3400 wrote:
>
> >
> > I'm resurrecting this question. I'm setting up a new AM environment
> > (4.0) and the test-connector certificate is replaced with a
> > certificate signed by an external CA but what about the other auto
> > generated certificates? Like test-signing, test-provider,
> > test-consumer and test-encryption. Should these be replaced?
> >
> > Thanks

>
> I don't tend to replace the auto generated ones. We just add new certs
> and use those instead for the various components. That way you can give
> them more meaningful names.
>
> For example, the test-signing and test encryption certs are used to
> sign SAML assertion. If you just create a cert called
> signingCertVerisign-exp0514 and add that to the signing keystore you
> know its used for singing and will expire may 2014.
>
> --
> Cheers,
> Edward


I made the mistake of replacing the signing cert (vs. not using it, and
using something else). Bad ju-ju happened. Took NTS 2 days to fix it.

So I agree with Edward. Don't whack it, but you can see/try (although
NTS got annoyed with me and seemed to be inclined that you should NEVER
have a need to replace the Signing cert for some reason) using Edward's
suggestion.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=17885

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Best Practice for IdS generated certificates


Thanks for your answers! Follow up question then 🙂 -Should- I use
other certificates, eg Verisign signed ones, or is it fine to continue
using the auto generated ones? (test-signing, test-provider,
test-consumer and test-encryption)


--
dei3400
------------------------------------------------------------------------
dei3400's Profile: https://forums.netiq.com/member.php?userid=4671
View this thread: https://forums.netiq.com/showthread.php?t=17885

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Best Practice for IdS generated certificates

dei3400 wrote:

>
> Thanks for your answers! Follow up question then 🙂 -Should- I use
> other certificates, eg Verisign signed ones, or is it fine to continue
> using the auto generated ones? (test-signing, test-provider,
> test-consumer and test-encryption)


It all depends on your security requirements. The auto generated once
are kinda called test-<certname> for a reason. Systems using them might
have requirements to be able to verify the certs via CRL's or OCSP
endpoints etc. If that kinda stuff is not an issue then sure, use these
ones.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.