SAML Signing Certificate - Which SSL Certificate Type?

11
votes

We're currently developing an SSL solution using SAML 2.0, and until now, have been using self signed certificates for signing the XML requests.

However, as we move to production, we want to use a certificate from a certificate authority. But I'm not really sure what type of certificate to purchase as they are all website centric. For example, single domain, wildcard domain, etc.

For example, have been looking at these: https://www.123-reg.co.uk/ssl-certificates/

I'm fairly knowledgeable when it comes to purchasing SSL certificates for a website. However, as the certificate is just going to be use for signing SAML requests, does it matter which type is purchased? Surely whether it supports a single domain or wildcard domain is irrelevant?

1
sslssl-certificatesamlsaml-2.0

1 Answers

16
votes

Certificates in SAML are only used as a convenient way to handle the signing and encryption keys. The keys are usually either exchanged through metadata, or by some secure transfer of the certificate to the parties involved in the SAML exchange. Thus, there is no need to be able to validate the certificates with a public authority.

This is also stated in the SAML metadata specification (line 697)

This specification takes no position on the allowable or suggested content of this element, nor on its meaning to a relying partyAs a concrete example, no implications of including an X.509 certificate by value or reference are to be assumed. Its validity period, extensions, revocation status, and other relevant content may or may not be enforced, at the discretion of the relying party

So I would just continue using a self signed certificate.

But, if you want to buy a certificate it should have "digital signature" and "key encipherment" usages. Normal SSL certificates (at least those I've checked) do contain those usages.

The "digital signature" usage should be self explanatory. The "key encipherment" is due to the fact that the key in the certificate is not used to directly encrypt the data. The data is encrypted by a symmetric key algorithm suitable for larger data sized. That key is then encrypted with the RSA key (RSA is suitable for smaller data, such as an encryption key). Thus, the RSA key is used to encrypt/encipher a key.