[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] PKI issues and the Baltimore trial certificate service
We finally got a chance to do some testing with the trial SSL certificate service from Baltimore (http://www.baltimore.com/servercert/ssltrial.asp). This service gives out certificates suitable for use in many of the current SSL-enabled web servers (IIS, iPlanet, Apache/mod-ssl, Domino, ...). We were able to obtain certificates from this service and successfully set up SAML relationships, testing against our own software. The certificates are signed by a private root, so we will need to pre-load the root into all the browsers we're using for the demo. Short of everyone paying for real web server certificates, I think this is the best we can do. It's pretty easy to get certs from this service, as long as you can generate a PEM-format PKCS#10 certificate request. The web page has instructions for doing this for all the major web servers. I also have some scripts to use OpenSSL to generate the keys and create the PKCS#10 request; these are handy if your system is can import PKCS#12 bundles (containing both the private key and the certificates). As I said, Baltimore's implementation works with these certificates; however, I'm nervous about whether everybody else will be OK. There are so many different flags and certificate extensions, and various implementations have been known to require some really oddball things in order to work. I've been trying to get a portable CA set up, so that if the Baltimore trial certs don't work, we can switch over to using the portable CA with a private root. Unfortunately, I'm on the road this week and it's not ready to roll yet, so I won't have much opportunity to test it before next week. The idea would be that we can put the portable CA on one of the routed IP addresses at RSA during the dry run, so that people on the west coast can get at it; in between the dry run and the show, I can make it available on a Baltimore routed IP address. Here's what OpenSSL tells me about the Baltimore trial certificates. The first one is the SSL server cert, and the second is the private root certificate for the CA. C:\openssl>openssl x509 -in saml-cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 2928 (0xb70) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root Validity Not Before: Jun 9 22:01:29 2002 GMT Not After : Jul 9 22:01:29 2002 GMT Subject: O=SAML Demo, CN=saml.nevex.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:dd:37:9b:0b:0f:9b:d6:27:53:68:f0:0f:c8:3b: 3b:32:62:76:60:e7:d3:6e:c6:26:f0:85:3f:31:9e: 9b:d2:6a:da:4d:0d:67:18:97:c5:05:99:75:17:d5: a2:79:77:f5:c3:84:a6:e0:c0:2d:57:cc:3f:2c:28: 20:13:81:9f:2d:a9:16:38:c3:d2:6d:53:04:11:81: e4:a3:e1:ea:76:71:55:e2:77:ad:4a:04:3a:ea:d3: 31:ba:bb:1a:e6:aa:b6:6a:02:c2:6c:48:a1:66:9d: 1f:c7:af:f2:39:49:f5:74:8e:84:e7:bc:29:2e:63: cd:e8:de:f4:39:79:3c:3c:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Key Encipherment Netscape Cert Type: SSL Server Signature Algorithm: md5WithRSAEncryption 04:89:40:38:3c:7a:37:1f:13:1c:55:11:6d:85:69:ae:f4:51: 8f:31:5b:fb:28:2b:a9:db:19:45:0e:13:5b:aa:18:af:5f:c3: 8a:fc:5d:30:65:55:03:dc:ff:59:a1:33:47:2a:17:de:84:58: 59:ba:bd:4a:7d:cb:4b:05:c6:51:69:96:c6:f9:f9:c8:08:cd: 4a:23:ef:83:74:3a:a3:53:56:cb:91:5a:ec:5e:f3:7e:1c:43: 0c:13:6c:e1:98:a7:68:9b:29:3a:b6:9e:89:a1:5e:10:ec:06: b4:9c:24:b5:08:62:2a:73:3c:0b:12:14:a6:03:e4:7e:cd:70: a3:37 C:\openssl>openssl x509 -in samlca-cert.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 33554739 (0x2000133) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root Validity Not Before: Oct 6 20:46:00 2000 GMT Not After : Oct 6 23:59:00 2002 GMT Subject: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:87:fc:b4:5f:59:82:23:e8:d6:12:fa:41:fb: 7d:6d:f4:3b:b6:4e:e2:3d:ce:78:22:a0:89:44:56: b9:3b:3b:73:35:9a:1f:14:59:d0:28:76:09:de:67: 7f:69:d0:0c:ef:11:a5:cc:27:b6:12:53:f4:35:1c: 71:8a:e0:8e:5b:7e:ff:40:d9:80:21:79:10:34:94: 43:43:09:f1:ed:b8:b8:ea:58:35:2c:7d:04:35:f6: dd:b0:11:20:80:96:dd:31:a5:95:55:20:17:0d:25: c4:b2:99:9f:f7:0e:fb:f3:d7:3e:b3:1d:e3:d1:dd: 37:79:c8:12:01:37:8d:40:4f Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 8b:72:9c:a2:57:06:74:c8:9a:83:31:ce:b7:d3:cd:56:51:3e: 96:62:a0:81:04:d5:93:8a:a2:ed:e0:0a:1e:8e:da:a3:d1:d2: 2e:eb:71:aa:91:77:b5:b2:35:50:81:71:67:b4:33:0d:05:5a: bf:d6:ca:1a:4c:ab:28:7f:ff:a1:f4:d3:a4:74:19:ca:e4:b6: c2:0d:a8:1e:c3:1f:0d:4c:12:de:4a:77:dc:9d:5c:62:9d:fa: 43:a4:97:3c:5c:5c:e0:9e:2e:7d:0c:40:d9:5c:3c:f9:3d:d2: a6:83:d0:94:ee:e4:d9:24:e4:da:ab:b8:ec:8b:18:94:32:63: fd:18 - irving - ----------------------------------------------------------------------------------------------------------------- The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. This footnote confirms that this email message has been swept for Content Security threats, including computer viruses. http://www.baltimore.com This footnote confirms that this email message has been swept by Baltimore MIMEsweeper for Content Security threats, including computer viruses.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC