# HREF Key Rollover 2025 English ## Introduction The Hungarian Research and Educational Federation is migrating to a new metadata signing certificate (HREF-2025). All HREF members and partners must update their IdP and SP configurations with the new signing certificate by June 14, 2025, in order to ensure uninterrupted access to federated services supporting eduID.hu. After this date, the old signing certificate (HREF-2020), which has been in use for more than 4 years, will be decommissioned, and 10 days after its last use, the old metadata will become invalid. The tables below contain all necessary data for the transition. Where possible, configuration examples offer solutions that allow simultaneous use of both the old and new metadata. ## Key Rollover ### Code names | Code name | Metadata signing certificate | Date of expiration | |---|---|---| | HREF-2011 | [https://metadata.eduid.hu/certs/href-metadata-signer-2011.crt href-metadata-signer-2011.crt] | 2022.01.01. | | HREF-2015 | [https://metadata.eduid.hu/certs/mdx-test-signer-2020.crt mdx-test-signer-2015.crt] | 2022.01.01. | | HREF-2020 | [https://metadata.eduid.hu/certs/href-metadata-signer-2020.crt href-metadata-signer-2020.crt] | 2025.06.14. | | HREF-2025 | [https://metadata.eduid.hu/certs/href-metadata-signer-2025.crt href-metadata-signer-2025.crt] | 2030.06.14. | ### SHA1 fingerprints | Code name | SHA1 fingerprint | |---|---| | HREF-2011 | `FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66` | | HREF-2015 | `91:81:AD:2B:F1:C1:4E:47:93:A2:9D:49:34:B7:77:62:4F:2F:98:43` | | HREF-2020 | `C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61` | | HREF-2025 | `45:B2:33:96:7C:4F:7E:42:86:8D:CC:CF:CC:0E:3E:1C:2E:24:C2:DE` | ### Domain names | Domain | URL | Key | Status | |---|---|---|---| | metadata.eduid.hu | `metadata.eduid.hu/2011/href.xml` | HREF-2011 | Prod | | | `metadata.eduid.hu/2020/href.xml` | HREF-2020 | Prod | | | `metadata.eduid.hu/2025/href.xml` | HREF-2025 | Prod | | mdx.eduid.hu | `mdx-2015.eduid.hu` | HREF-2015 | Prod | | | `mdx-2020.eduid.hu` | HREF-2020 | Prod | | | `mdx-2025.eduid.hu` | HREF-2025 | Prod | ### Discovery Service change | URL | |---| | | | | ## Shibboleth Service Provider beállítások ### XML ```xml ``` ### MDX #### Shibboleth 3.X ```xml ``` ##### példa apache + shibboleth 3.X - sed segítségével ``` sudo sed 's/mdx-2020.eduid.hu/mdx-2025.eduid.hu/g' /etc/shibboleth/shibboleth2.xml -i sudo sed 's/href-2020/href-2025/g' /etc/shibboleth/shibboleth2.xml -i sudo sed 's/href-metadata-signer-2020.crt/href-metadata-signer-2025.crt/g' /etc/shibboleth/shibboleth2.xml -i sudo sed 's#https://mdx-202..eduid.hu/role/idp.ds#https://mdx-2025.eduid.hu/discovery/ds#g' /etc/shibboleth/shibboleth2.xml -i sudo systemctl restart shibd.service apache2.service ``` #### Shibboleth 2.X ```xml https://mdx-2020.eduid.hu/entities/$entityID https://mdx-2025.eduid.hu/entities/$entityID ``` ## Shibboleth Identity Provider beállítások ### XML #### Shibboleth 4.X ```xml md:SPSSODescriptor ``` #### Shibboleth 3.X ```xml md:SPSSODescriptor ``` ### MDX #### Shibboleth 4.X ```xml https://mdx-2025.eduid.hu/ ``` #### Shibboleth 3.X ```xml https://mdx-2025.eduid.hu/ ``` ## SimpleSAMLphp ### MDX ```php //config/config.php 'metadata.sources' => [ ['type' => 'flatfile'], // ez a *-hosted metadata konfiguráció betöltése miatt szükséges [ 'type' => 'mdq', 'server' => 'https://mdx-2025.eduid.hu', /* --- */ 'validateFingerprint' => '45:B2:33:96:7C:4F:7E:42:86:8D:CC:CF:CC:0E:3E:1C:2E:24:C2:DE' ], ], ``` ### metarefresh ```php // config/config-metarefresh.php $config = [ 'sets' => [ 'href-2020' => [ 'cron' => ['hourly'], 'sources' => [ [ 'src' => 'https://metadata.eduid.hu/2020/href.xml', 'validateFingerprint' => 'C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61', ], ], 'expireAfter' => 777600, // 9 nap. 'outputDir' => 'metadata/metarefresh-href-2020/', 'outputFormat' => 'flatfile', ], 'href-2025' => [ 'cron' => ['hourly'], 'sources' => [ [ 'src' => 'https://metadata.eduid.hu/2025/href.xml', 'validateFingerprint' => '45:B2:33:96:7C:4F:7E:42:86:8D:CC:CF:CC:0E:3E:1C:2E:24:C2:DE', ], ], 'expireAfter' => 777600, // 9 nap. 'outputDir' => 'metadata/metarefresh-href-2025/', 'outputFormat' => 'flatfile', ], ], ]; ``` ```php // config/config.php 'metadata.sources' => [ ['type' => 'flatfile'], ['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2020'], ['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2025'], ], ``` ## FAQ /GYIK Bővítés alatt! * Miért cserél KIFÜ kulcsot? * IdP-t érinti? * Mi a helyzet az eduGAIN-t használó IdP-kkel? * Mi a helyzet az eduGAIN-t használó SP-kkel? * Hogyan tudom ellenőrízni, hogy jó kulcsot használok?