16.04.2019 14:52 Age: 1 yrs

Important: Expiration date of our CA Certificates (G1) ahead

By: DFN-AAI Team

Please be aware of the fact that the first generation of certificates issued by our Certification Authority DFN-PKI will expire on July 9th 2019 (11:59 p.m. UTC). Signing of federation metadata will be switched to G2-only on Mai 23rd.


For Service Providers not using DFN-PKI certificates for the SP and/or web server, it is still necessary to update your configuration for signature validation.

For the last two years, we have been delivering our federation metadata in two flavours, that is signed by an old and by a new key. As of May 23rd 2019, we will only sign with a second generation key. Please check if your SP validates the metadata correctly (Metadata Provider example configuration). It has to point to DFN-PKI's G2 certificate. You can find the download URLs for the G2-signed federation metadata, the certificate for signature validation and its SHA-256 fingerprint in our documentation.

Please bear in mind that the federation metadata are valid for a period of 5 days. If you run into problems with signature validation on May 28th 2019 please recheck your configuration.

Do not hesitate to contact us with questions at hotline@aai.dfn.de.

Warning: IdPs and SPs with expired certificates are automatically removed from DFN-AAI.