First, get the UK federation MDQ certificate:
sudo wget -O /etc/shibboleth/ukfederation-mdq.crt http://mdq.ukfederation.org.uk/ukfederation-mdq.pem
Check the fingerprint:
openssl x509 -fingerprint -in /etc/shibboleth/ukfederation-mdq.crt -sha256
and then contact the Federation Helpdesk http://www.ukfederation.org.uk/content/Documents/UKFederationHelpdesk to verify the MDQ certificate fingerprint.
First, download the latest 'ukfederation-mdq.pem' certificate, copy it into C:\opt\shibboleth-sp\etc\shibboleth (substitute your installation location if you chose a non-default location), and rename it to 'ukfederation-mdq.crt' (this will cause Windows to recognise the file as a certificate by an extension that it recognises). This digital certificate will be used to verify UK Federation digital signatures. You should verify the certificate fingerprint by right-clicking on the ukfederation-mdq.crt file in Windows Explorer and selecting 'Open'. When the Certificate dialogue box opens, click on the 'Details' tab and scroll down to the 'Thumbprint' entry. This fingerprint value must be confirmed offline with the UK Federation Helpdesk to ensure its validity and guard against the possibility of your web site being compromised.