Use of certificates in Haka
Haka certificate policy defines the type of certificates entities MUST use to secure the exchange of SAML-messages between Haka identity and service providers. This certificate policy does not apply to certificates used by WWW-servers and subsequently by Haka user clients.
WWW-servers may use any certificates what so ever. However, it is RECOMMENDED that WWW-servers use certificates signed by generally known certificate authorities.
Haka recommends the use of self-signed certificates with a reasonably long validity period when processing SAML messages.
For service providers it is recommended to use two separate keys for encryption and signing.
In SAML message exchange certificates are used to sign and/or encrypt messages between identity and service providers. In the SAML use case certificate needs to be applicable to both client- and server-use. This must be taken into account when creating certificates.
The DNS-name of the service SHOULD correspond to the CN (common name) field of the certificate. This requirement prevents using wildcard-certificates (*.domain.com).
Key length
The public key of the certificate MUST be at least 2048 bits of length.
Renewing and revoking certificates
Shibboleth-software doesn't use certificate revocation lists (CRLs) to verify certificates. If there is a reason to doubt that the private key of the certificate has fallen into wrong hands one MUST contact Haka-operator immediately for the certificate to be changed or the service to be temporarily removed from Haka-metadata.
If you want to change the certificate or the private key used to sign the certificate request, apply instructions for Shibboleth SP or IdP.