Understanding Server Security Certificates

Question

Am presently implementing Single-Sign-On within my MVC application using Kentor.AuthServices. The configuration contains two elements - < signingCertificate > and < serviceCertificates >, which appear to point to X.509 certificates on the local machine.

Now I guess these certificates are different to the ones installed for SSL? The documentation refers to these as "signing" certificates. The only links I've seen so far seem to aimed towards making your own "self-signed" certificates. I guess these can't be used on the live application? If not, how do I go about obtaining such a certificate?

Answer 1

There are two places in the AuthServices config that contains certificates.

• The signingCertificate is a certificate that refers to the certificate that the Idp uses to sign the SAML2 assertions it create. Easiest is to let AuthServices load this as part of the Idp metadata, but if that is not possible you can download the certificate and configure it. You only need the public key (typically .cer file) of this certificate. The Idp should keep it's private key well secured.

• The serviceCertificate is the other way around - that is what AuthServices uses to sign outgoing requests (if that is needed, in simple setups it isn't). SAML2 contains it's own means of distributing certificates (through metadata) so a self signed cert will often do.

Answer 2

A signing certificate is a cert with it's purpose flags set to allow it to be used for code signing. A normal SSL/TLS server cert normally do not have that flag set. You can get a signing cert from (most of) the same CAs that sell server certificates, but the price (and paperwork) for a code signing cert is usually different.