SAML and X509Certificates

Working with a vendor to create a SAML response and I have a request to provide them with an x509 certificate (The public key of the certificate being used to sign the SAML response and all applicable cert chain(s) of the signing cert).

Originally I thought that the x509 format of the SSL key I have been using to secure my website (the SAML response will becoming from a directory of this website) was a sufficient enough key. After speaking with the third party vendor whom supplied me with the key I'm being informed that an SSL key may work but that I may need a code signing certificate instead. I'm not familiar with code signing certificates have mostly dealt with SSL keys.

In the case of creating a SAML response which key type is appropriate?
dowhatyoudo22Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
I would not suggest using the SSL certificate for the saml response as any issues related to your website SSL automatically impacts your application.

There is an open opinion on this:
Q10. I need a certificate for use in the InCommon Federation. What sort of certificate should I use from the InCommon Certificate Service for that purpose?

That depends. If you are deploying a SAML Identity Provider (IdP) or a SAML Service Provider (SP) in the InCommon Federation, and you need an SSL/TLS certificate for an ordinary browser-facing SAML endpoint, you should use a web server certificate as described in Q1.

If, on the other hand, you need a public/private key pair for XML Signature and/or XML Encryption, you should use a long-lived self-signed certificate, which is the preferred type of certificate inserted into InCommon metadata.
Reprinted from
"https://www.incommon.org/certificates/certpick.html"


There is also an opinion a Self signed cert should work just as well:
https://spaces.internet2.edu/display/InCFederation/X.509+Certificates+in+Metadata

In any event using the SSL certificate for your website is not something I would recomnend.
0
becraigCommented:
dowhatyoudo22

Did my answer help, or do you need further assistance with this question ?
0
dowhatyoudo22Author Commented:
Sorry, I thought I had responded to this a while ago. I had asked if you could provide more information explaining the pros & cons to using the SSL certificate currently being used for my website other than "if there is a problem with the site certificate then we would experience problems with the certificate for the SAML".
0
becraigCommented:
The long and short of it is, the web server certificate is used in normal web traffic and the key pair may potentially be available to members of your team which creates the potential for compromise.

There is NO one reason to do it or not to, my recommendation as a best practice where encryption is concerned is to simply separate digital certificates used especially for token signing etc. .

If you want to proceed with using your website certificate, there is no reason why you cannot, as indicated from the links above there are discussions on this based simply on a matter of preference.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.