Menu

Current news

Vetuma SAML signing certificate will change 13.1.2016

Government ICT Centre Valtori 4.12.2015 12.00
News item

Vetuma PRODUCTION Bulletin (applies only to customers using SAML interface in the Vetuma production)

Vetuma SAML signing certificate will change on Wednesday January 13, 2016 at 12 noon in the Vetuma production. The new certificate uses the SHA-256 algorithm. This change requires actions by service vendors.

Fujitsu delivers the updated Vetuma service IdP metadata, which includes the renewed signing certificate. The certificate is valid for two years.

Metadata is delivered in two versions: transitional IdP metadata and final IdP metadata. The transitional metadata includes both the new and the old signing certificate. Final metadata includes only the new signing certificate.

There are two methods for changing the certificate, depending on whether the SAML software used by the service provider supports multiple certificates or not.

When the service provider software supports multiple certificates, you can take advantage of the transitional IdP metadata, and the certificate rollover is simpler and safer to perform in your own schedule.

1. Rollover with multiple certificates (Using the transitional IdP metadata)

Service Provider may change to the transitional IdP metadata, which includes both the new and the old certificate, at a time most convenient to them (but no later than Wednesday January 13, 2016 at 12 noon).

Thus the service provider software accepts messages from Vetuma signed with either the old certificate or the new one. NOTE! This requires that the service provider software supports multiple certificates.

To complete the transition, you will need to remove the old certificate from your service provider software at your chosen time after January 13th, by loading the new final Vetuma IdP metadata into your service provider.

2. Rollover without multiple certificates (using the final IdP metadata)

If the service provider software does not support multiple certificates, the application provider will need to change the service provider configuration at the same time as Vetuma starts to sign messages using the new certificate, by implementing the final version of the IdP metadata on Wednesday January 13, 2016 at 12 noon.

Updated IdP metadata files are available for download at:

https://tunnistus.suomi.fi/info/tunnistus.suomi.fi-IDP-transit-metadata.xml

https://tunnistus.suomi.fi/info/tunnistus.suomi.fi-IDP-new-metadata.xml

Old metadata is currently downloadable at:

https://tunnistus.suomi.fi/info/tunnistus.suomi.fi-IDP-old-metadata.xml

Vetuma starts to sign SAML messages using the new certificate on Wednesday January 13, 2016 at 12 noon. It is essential that after that moment the service provider software is using either the transitional IdP metadata or the final idP metadata.

NOTE! Also the certificate chain is changing, so if necessary, download the new intermediate certificate at:

VRK CA for the Service Providers - G2

http://vrk.fineid.fi/certs/vrksp2.crt

If you would like more information, please send an email to VETUMA.palvelu[at]fi.fujitsu.com

NOTE! Please send an e-mail confirmation that the matter is taken into account, as well as information on the SAML service provider you are representing.