Renew Shibboleth SSL Certificate
Overview
This guide describes the process for renewing and updating the SSL certificate for shibboleth.statista.com on the Shibboleth instances.
ℹ️ Configuration Management: Certificate files and Shibboleth configuration are version-controlled in the shibboleth-server-configuration repository. Use the repository's deployment script to push certificate changes to both servers.
Prerequisites
- Access to cheapsslshop account (credentials in LastPass)
- Access to DFN AAI metadata management (credentials in LastPass)
- SSH access to ec2-euc-shib-01 and ec2-euc-shib-02 instances
- VPN connection established
- SSH key:
euc-shib.pem - Local clone of the shibboleth-server-configuration repository
Important Notes
⚠️ Warning: The
systemctl restart shibdcommand doesn't work reliably. Always stop the service first withsystemctl stop shibdand then start it withsystemctl start shibd.⚠️ Warning: Service start can take 90 minutes (not 15-20 as previously documented). Only stop/start one instance at a time to maintain service availability.
Steps
1. Renew Certificate
- Log in to cheapsslshop (credentials in LastPass)
- Renew the certificate for
shibboleth.statista.com
2. Generate CSR
- SSH into one of the Shibboleth instances
- Use the existing private key to generate a Certificate Signing Request (CSR)
- Submit the CSR to complete the certificate renewal
3. Add New Certificate to Configuration Repository (Day 0)
-
Clone or update the shibboleth-server-configuration repository:
cd /path/to/shibboleth-server-configuration git pull -
Add the new certificate file to
etc/shibboleth/(e.g.,shibboleth.statista.com-2026.crt.pem) -
Edit
etc/shibboleth/shibboleth2.xmlto add the new certificate in the CredentialResolver section:<CredentialResolver type="Chaining"> <!-- old certificate --> <CredentialResolver type="File" key="shibboleth.statista.com.key.pem" certificate="shibboleth.statista.com-2025.crt.pem"/> <!-- new certificate --> <CredentialResolver type="File" key="shibboleth.statista.com.key.pem" certificate="shibboleth.statista.com-2026.crt.pem"/> </CredentialResolver> -
Commit and push changes:
git add . git commit -m "Add 2026 certificate for renewal" git push -
Deploy to both servers using the deployment script:
./deploy.sh # Select option 3 (Both servers) -
Restart shibd on ec2-euc-shib-02 first:
ssh user@ec2-3-67-78-187.eu-central-1.compute.amazonaws.com 'sudo systemctl stop shibd && sudo systemctl start shibd' -
Wait for ec2-euc-shib-02 to complete startup (~90 minutes) and verify:
curl https://shibboleth.statista.com/Shibboleth.sso/Status -k -
After ec2-euc-shib-02 is healthy, restart ec2-euc-shib-01:
ssh user@ec2-52-57-79-135.eu-central-1.compute.amazonaws.com 'sudo systemctl stop shibd && sudo systemctl start shibd'
Reference: DFN AAI Documentation - Step 4 at SP
4. Update DFN AAI Metadata (Day 0)
- Log in to DFN AAI metadata management (credentials in LastPass)
- Add the new certificate to the metadata
- Wait 24 hours for propagation
5. Change Certificate Order (Day 1)
-
In the shibboleth-server-configuration repository, edit
etc/shibboleth/shibboleth2.xmland change the order of certificates (new certificate first):<CredentialResolver type="Chaining"> <!-- new certificate --> <CredentialResolver type="File" key="shibboleth.statista.com.key.pem" certificate="shibboleth.statista.com-2026.crt.pem"/> <!-- old certificate --> <CredentialResolver type="File" key="shibboleth.statista.com.key.pem" certificate="shibboleth.statista.com-2025.crt.pem"/> </CredentialResolver> -
Commit and push:
git add etc/shibboleth/shibboleth2.xml git commit -m "Change certificate order - prioritize 2026 cert" git push -
Deploy and restart both servers (one at a time):
./deploy.sh # Select option 3 (Both servers)
Reference: DFN AAI Documentation - Step 5 at SP
6. Remove Old Certificate from Metadata (Day 1)
- Log in to DFN AAI metadata management
- Remove the old certificate from the metadata
- Wait 24 hours for propagation across DFN AAI and UK Federation IdPs
7. Remove Old Certificate from Configuration (Day 2)
-
In the shibboleth-server-configuration repository, edit
etc/shibboleth/shibboleth2.xmland remove the old certificate:<CredentialResolver type="Chaining"> <!-- new certificate --> <CredentialResolver type="File" key="shibboleth.statista.com.key.pem" certificate="shibboleth.statista.com-2026.crt.pem"/> </CredentialResolver> -
Optionally remove or archive the old certificate file from
etc/shibboleth/ -
Commit and push:
git add . git commit -m "Remove old 2025 certificate" git push -
Deploy and restart both servers (one at a time):
./deploy.sh
Verification
After each restart, always verify the service is running properly:
curl https://shibboleth.statista.com/Shibboleth.sso/Status -k
Check the logs for any issues:
ssh user@hostname 'sudo tail -f /var/log/shibboleth/shibd.log'
Troubleshooting
For major issues, escalate to the responsible team. See Statista Atlassian for related troubleshooting documentation.
A word on: Shibboleth Service Provider (shibd) Startup Time
Normal Behavior
Expected startup time: ~1.5 hours
The Shibboleth daemon takes approximately 90 minutes to start due to processing large federation metadata files totaling ~270 MB of XML.
During startup, shibd parses thousands of IdP definitions and validates cryptographic signatures on all metadata. The signature validation is the most time-consuming step, but ensures metadata authenticity.
Why This Is Acceptable
- Restarts only occur during annual certificate updates
- Service remains available on the other instance during restart
- No production impact when properly planned
Emergency Workaround
If faster startup is critical during an incident, you can temporarily disable signature validation by commenting out all <MetadataFilter type="Signature".../> lines in /etc/shibboleth/shibboleth2.xml. This reduces startup time to 15-20 minutes.
⚠️ Warning: Disabling signature validation reduces security. Only use in time-critical situations and re-enable afterward. Always backup the configuration file first.