→Self-signed: 2-pass variant to avoid CA:TRUE
It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).
Instead, you should generate a self-signed certificate with the following
command (please adjust the subject):
openssl req -new -newkey rsa:2048
-x509 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \ -keyout $host- shib.key -out $host- shib. cert