Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 22 Next »

The basic file format

Moonshot ships with a tool, moonshot-webp, to securely and correctly provision credentials onto clients. The format for credential files is simple XML:

<?xml version="1.0" encoding="UTF-8"?>
    <display-name>[i.e. John Smith from Camford University]</display-name>
    <user>[i.e. johnsmith]</user>
    <password>[i.e. correct-horse-battery-staple]</password>
    <services>[optional, see Services]</services>
    <selection-rules>[optional, see Selection Rules]</selection-rules>
      <!-- Either ca-cert and subject, or ca-cert and subject-alt -->
      <ca-cert>[Base64-encoded representation of the APC/IdP's CA root certificate, see Trust Anchors]</ca-cert>
      <subject>[CN value of the APC/IdP's server certificate, see Trust Anchors]</subject>
      <subject-alt>[The DNS/FQDN or IP value in the X509v3 extension of the APC/IdP's server certificate, see Trust Anchors]</subject-alt>
      <!-- Or, alternatively, server-cert only -->
      <server-cert>[SHA-256 hash of the APC/IdP's server certificate, see Trust Anchors]</server-cert>

Trust Anchors

Inclusion of the trust anchor is vital - without it credentials may be exposed to malicious resource providers. This credential format is also used to secure communication between RP's, IdP's and trust routers.

You can use either the Certificate Authority (CA) root certificate or the server certificate as trust anchor.

CA Root Certificate

Certificate Expiry

We recommend that a CA certificate is generated with a long expiry time (in years or decades), and that it is kept safe for subsequent server and user certificate generation cycles.

To use the CA root certificate as a trust anchor, you must populate the one or more of the following tags in the <trust-anchor> section:

  • <ca-cert>: The value of this tag is either a Base64-encoded version of the CA certificate in DER form, or the contents of ca.pem, excluding the BEGIN and END lines.
    This value is always required.
  • <subject>: The value of this tag is the CN value of the DN in the text representation of the server certificate. 
    In self-generated certificates, this value is the same as the contents of commonName in your FreeRADIUS server.cnf file. In commercially-obtained certificates, retrieve this information by dumping the certificate's text information.
    This value is required when <subject-alt> is not specified.

  • <subject-alt>: The value of this should be the DNS name, FQDN or the IP address information in the X509v3 information of the server certificate. 
    This value is required when <subject> is not specified. 

To dump the server certificate's text information, use OpenSSL as follows:

openssl x509 -noout -text -in server.pem

Server Certificate

Certificate Expiry

When your server certificate expires, the credentials must be updated and re-provisioned with the new fingerprint.

To use the server certificate itself as a trust anchor, you must populate the <server-cert> tag in the <trust-anchor> section with the SHA-256 fingerprint of the server certificate.

To obtain this fingerprint, run OpenSSL as follows and strip the colon symbols from the resulting value:

openssl x509 -noout -fingerprint -sha256 -in server.pem


The optional services section is used to determine which services the credential will be automatically used for - each service will be contained in its own tag. For use with a trust router, it is better to use the selection-rules section instead. 


Selection Rules

The optional selection-rules section is used to restrict which services the credential will be automatically used for - for use with a trust router identity, the service type is "trustidentity" for all services. Wildcards are acceptable.

  • No labels