Change Virtu signing certificate
Edit update.properties to add the new metadata URL:
# Default: haka = http://haka.funet.fi/fed/haka-metadata.xml com.ubisecure.ubilogin.tools.metadata.url = https://virtu-ds.csc.fi/fed/virtu/virtu-metadata-v5.xml
Examine the new metadata signing certificate from
Edit metadata-trust.xml; replace certificate and CRL.
That was determined by examining the certificate using
openssl openssl.exe x509 -in virtu-metadata-cert-2019.pem -text -noout
and examining the X509v3 CRL Distribution Points: Full Name: field.
The issuer of the certificate has changed
openssl.exe x509 -in c:\tmp\virtu-metadata-cert-2019-pem.txt -text -noout
WARNING: can't open config file: /apache24/conf/openssl.cnf
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 203867023 (0xc26c38f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FI, O=Vaestorekisterikeskus CA, OU=Palveluvarmenteet, CN=VRK C for Service Providers - G3
Validity
Not Before: May 26 21:00:00 2019 GMT
Not After : May 26 20:59:59 2021 GMT
Subject: C=FI, ST=Finland, L=Espoo, O=CSC - Tieteellinen laskenta Oy, CN
virtu-sign.csc.fi
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
The issuer root certificate needs to be updated.
The trusted source is https://vrk.fi/ca-varmenteet
The root certificate in PEM format is VRK CA for Service Providers - G3
http://vrk.fineid.fi/certs/vrksp3.crt
Open the file in Windows Certificate viewer, export the certificate as a PEM, remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and paste the PEM into the file metadata-trust.xml .
The SSL certificate is the same for https://virtu-ds.csc.fi/fed/virtu/virtu-metadata-v4.xml
and
https://virtu-ds.csc.fi/fed/virtu/virtu-metadata-v5.xml, so ssl-trust.xml needs no changes. Both expire on Wednesday, October 23, 2019. Issued by TERENA.
Related articles