Browser facing certificate for Shibboleth IdP using the Certificate snap-in in Windows

Earlier versions of the IdP may use jetty.browser.keystore.password instead of jetty.sslContext.keyStorePassword

Browser facing certificate for Shibboleth IdP using the Certificate snap-in in Windows

This page will take you through creating a browser facing certificate using the certificate snap-in to the Microsoft management Console (MMC) in Windows. This will allow you to create a certificate request (CSR), you then pass this to a Certificate Authority (CA) for signing, import it into the certificate snap-in and then export as PKCS12 file that can be used with Jetty as part of the Shibboleth IdP Windows Installer.

Note: we use idp.example.ac.uk as the FQDN for your Shibboleth IdP in this example. you should replace this with the one you intended to use.

  1. Add the Certificate Snap-in into MMC for the computer account, further instructions can be found at Add the Certificates Snap-in to an MMC
  2. Open 'Certificates (Local Computer)', expand 'Personal' and 'Certificates' folders
  3. Right click, choose 'All Tasks', choose 'Advanced Operations' and 'Create Custom Request'
  4. On the 'Select Certificate Enrolment Policy' page, choose 'Proceed without enrolment policy'
  5. On the 'Custom request' page, ensure that 'Template' is set to '(No template) CNG key' and that 'Request format' is set to 'PKCS #10', then hit 'Next'.
  6. On the 'Certificate Information' page, click the drop down for 'Details' and then 'Properties'
  7. On the 'General tab', enter the 'Friendly name:' as 'Browser facing certificate for idp.example.ac.uk'
  8. On the 'Subject' tab, under 'Subject name' select Type: 'Common name' and enter value 'idp.example.ac.uk', repeat this for each of the follow
    • Country – C (country) i.e. GB
    • Email – E (a contact e-mail address) e.g. it@example.ac.uk
    • Locality – L (town / city) e.g. Example City
    • Organization – O (Organisation Name) e.g. Example University
    • State – S (County) e.g. Example
  9. On the 'Subject' tab, under 'Alternative name' select Type: 'DNS' and enter value 'idp.example.ac.uk'. You may wish to repeat this step for any additional SubjectAlternativeNames that are required.
  10. On the 'Private Key' tab:
    1. under 'Cryptographic Service provider' ensure that 'RSA,Microsoft Software Key Storage Provider' is selected
    2. under 'Key options' set the 'Key size:' to at least '2048', choose 'Make private key exportable'
    3. under 'Select Hash Algorithm' set the Hash Algorithm to 'SHA256'
    4. Click OK to close the Certificate Properties dialogue,
  11. On the 'Certificate Information' page click 'Next'
  12. Enter a filename for the certificate request e.g. idp.example.ac.uk, and ensure that Base64 is now ticked
  13. Take your idp.example.ac.uk.csr file and submit to your choosen Certificate Authority. You may wish to use the Jisc Certificate Service
  14. Once you have your Public Key certificate and the Intermediate Public key certificates, you can then import each into MMC. These are sometimes provided as a Zip file, so you may need to unzip those to a suitable location.
  15. Right Click, choose All Tasks, and then Import. On the first page of the Certificate Import Wizard, ensure Store Location is 'Local Machine' and hit next
  16. Select the File name of the certificate to import, and hit Next
  17. On the Certificate Storage, page ensure it is selected to 'Place all certificate in the following store', and Certificate Store: Personal.
  18. On the 'Completing the Certificate Import Wizard' page hit 'Finish'
  19. You should now see the Certificate listed.
  20. Repeat steps - 15-19 to add an intermediate certificates provided by your CA.
  21. From within MMC, choose your certificate. If you double click on the certificate should tell you that 'You have a private key that corresponds to this certificate'
  22. Right Click on the certificate, choose 'All Tasks' and 'Export'
  23. On the Certificate Export Wizard, Choose 'Next'.
  24. Export Private Key, Choose 'Yes, export the private key'
  25. Export File Format, should now have chosen 'Personal Information Exchange - PKCS #12 (.PFX), e nsure that 'Include all certificate in the certification path if possible' and 'Export all extended properties' are chosen, and choose Next
  26. Under 'Security', choose 'Password'. In terms of setting the password at this point you can either;
    • Open up C:\Program Files(x86)\Shibboleth\IdP\jetty-base\start.d\idp.ini, and use the jetty.sslContext.keyStorePassword provided (Note the {} are part of the password) 
 jetty.sslContext.keyStorePassword={ABCDEF01-ABCD-0123-4567-89ABCDEF0123}
  • Alternatively, enter a new password and at a later stage update jetty.sslContext.keyStorePassword= in C:\Program Files(x86)\Shibboleth\IdP\jetty-base\start.d\idp.ini
  1. Under File to Export, Select the file, navigate to C:\Program Files(x86)\Shibboleth\IdP\credentials and choose 'Save as Type', and 'All Files (*.*)', enter a suitable filename e.g. idp.example.ac.uk.pfx and Click Next
  2. Completing the certificate Export Wizard, Click Finish, and on you should have a dialogue to say that 'The Export was successful'
  3. Open up C:\Program Files(x86)\Shibboleth\IdP\jetty-base\start.d\idp.ini and on the line jetty.sslContext.keyStorePassword= change idp-userfacing.p12 to idp.example.ac.uk.pfx
  4. You can now start the Shibboleth IdP. Go to C:\Program Files(x86)\Shibboleth\ProcRun and choose shibd_idpw.exe and Click Start [If it as already running you may need to hit Start].
  5. Visit your IdP status page at https://idp.example.ac.uk/idp/status in a Browser. If you are testing without the relevant external DNS records and firewalls in place you might wish to temporarily add an entry to your system hosts file C:\Windows\System32\drivers\etc\hosts so that you can test 
 127.0.0.1 idp.example