[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] PKI issues and the Baltimore trial certificate service
We finally got a chance to do some testing with the trial SSL certificate
service from Baltimore (http://www.baltimore.com/servercert/ssltrial.asp).
This service gives out certificates suitable for use in many of the current
SSL-enabled web servers (IIS, iPlanet, Apache/mod-ssl, Domino, ...). We were
able to obtain certificates from this service and successfully set up SAML
relationships, testing against our own software.
The certificates are signed by a private root, so we will need to pre-load
the root into all the browsers we're using for the demo. Short of everyone
paying for real web server certificates, I think this is the best we can do.
It's pretty easy to get certs from this service, as long as you can generate
a PEM-format PKCS#10 certificate request. The web page has instructions for
doing this for all the major web servers. I also have some scripts to use
OpenSSL to generate the keys and create the PKCS#10 request; these are handy
if your system is can import PKCS#12 bundles (containing both the private
key and the certificates).
As I said, Baltimore's implementation works with these certificates;
however, I'm nervous about whether everybody else will be OK. There are so
many different flags and certificate extensions, and various implementations
have been known to require some really oddball things in order to work.
I've been trying to get a portable CA set up, so that if the Baltimore trial
certs don't work, we can switch over to using the portable CA with a private
root. Unfortunately, I'm on the road this week and it's not ready to roll
yet, so I won't have much opportunity to test it before next week. The idea
would be that we can put the portable CA on one of the routed IP addresses
at RSA during the dry run, so that people on the west coast can get at it;
in between the dry run and the show, I can make it available on a Baltimore
routed IP address.
Here's what OpenSSL tells me about the Baltimore trial certificates. The
first one is the SSL server cert, and the second is the private root
certificate for the CA.
C:\openssl>openssl x509 -in saml-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2928 (0xb70)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root
Validity
Not Before: Jun 9 22:01:29 2002 GMT
Not After : Jul 9 22:01:29 2002 GMT
Subject: O=SAML Demo, CN=saml.nevex.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:dd:37:9b:0b:0f:9b:d6:27:53:68:f0:0f:c8:3b:
3b:32:62:76:60:e7:d3:6e:c6:26:f0:85:3f:31:9e:
9b:d2:6a:da:4d:0d:67:18:97:c5:05:99:75:17:d5:
a2:79:77:f5:c3:84:a6:e0:c0:2d:57:cc:3f:2c:28:
20:13:81:9f:2d:a9:16:38:c3:d2:6d:53:04:11:81:
e4:a3:e1:ea:76:71:55:e2:77:ad:4a:04:3a:ea:d3:
31:ba:bb:1a:e6:aa:b6:6a:02:c2:6c:48:a1:66:9d:
1f:c7:af:f2:39:49:f5:74:8e:84:e7:bc:29:2e:63:
cd:e8:de:f4:39:79:3c:3c:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment
Netscape Cert Type:
SSL Server
Signature Algorithm: md5WithRSAEncryption
04:89:40:38:3c:7a:37:1f:13:1c:55:11:6d:85:69:ae:f4:51:
8f:31:5b:fb:28:2b:a9:db:19:45:0e:13:5b:aa:18:af:5f:c3:
8a:fc:5d:30:65:55:03:dc:ff:59:a1:33:47:2a:17:de:84:58:
59:ba:bd:4a:7d:cb:4b:05:c6:51:69:96:c6:f9:f9:c8:08:cd:
4a:23:ef:83:74:3a:a3:53:56:cb:91:5a:ec:5e:f3:7e:1c:43:
0c:13:6c:e1:98:a7:68:9b:29:3a:b6:9e:89:a1:5e:10:ec:06:
b4:9c:24:b5:08:62:2a:73:3c:0b:12:14:a6:03:e4:7e:cd:70:
a3:37
C:\openssl>openssl x509 -in samlca-cert.pem -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 33554739 (0x2000133)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root
Validity
Not Before: Oct 6 20:46:00 2000 GMT
Not After : Oct 6 23:59:00 2002 GMT
Subject: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b3:87:fc:b4:5f:59:82:23:e8:d6:12:fa:41:fb:
7d:6d:f4:3b:b6:4e:e2:3d:ce:78:22:a0:89:44:56:
b9:3b:3b:73:35:9a:1f:14:59:d0:28:76:09:de:67:
7f:69:d0:0c:ef:11:a5:cc:27:b6:12:53:f4:35:1c:
71:8a:e0:8e:5b:7e:ff:40:d9:80:21:79:10:34:94:
43:43:09:f1:ed:b8:b8:ea:58:35:2c:7d:04:35:f6:
dd:b0:11:20:80:96:dd:31:a5:95:55:20:17:0d:25:
c4:b2:99:9f:f7:0e:fb:f3:d7:3e:b3:1d:e3:d1:dd:
37:79:c8:12:01:37:8d:40:4f
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
8b:72:9c:a2:57:06:74:c8:9a:83:31:ce:b7:d3:cd:56:51:3e:
96:62:a0:81:04:d5:93:8a:a2:ed:e0:0a:1e:8e:da:a3:d1:d2:
2e:eb:71:aa:91:77:b5:b2:35:50:81:71:67:b4:33:0d:05:5a:
bf:d6:ca:1a:4c:ab:28:7f:ff:a1:f4:d3:a4:74:19:ca:e4:b6:
c2:0d:a8:1e:c3:1f:0d:4c:12:de:4a:77:dc:9d:5c:62:9d:fa:
43:a4:97:3c:5c:5c:e0:9e:2e:7d:0c:40:d9:5c:3c:f9:3d:d2:
a6:83:d0:94:ee:e4:d9:24:e4:da:ab:b8:ec:8b:18:94:32:63:
fd:18
- irving -
-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorised use, disclosure, copying or alteration of this message is
strictly forbidden. Baltimore Technologies plc will not be liable for
direct, special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.
This footnote confirms that this email message has been swept for Content Security threats, including
computer viruses.
http://www.baltimore.com
This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC