OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [saml-dev] PKI issues and the Baltimore trial certificate ser vice


Hi Bhavna,
 
We found that the root certificate downloaded from the Baltimore Trial Root website contains an extra newline before the 'end certificate' tag. Removing this newline character should fix your problem.
 
thanks,
Tahura
 
-----Original Message-----
From: Bhavna Bhatnagar [mailto:Bhavna.Bhatnagar@Sun.COM]
Sent: Wednesday, June 12, 2002 10:39 AM
To: Irving Reid
Cc: 'saml-dev@lists.oasis-open.org'
Subject: Re: [saml-dev] PKI issues and the Baltimore trial certificate service

I tried getting the certs, could download both server and root cert, but
could only install the server cert into my web server ( iPlanet web server)
On trying to install root cert I get the following error:

Incorrect Usage:Invalid Certificate
The server could not import one of the certificates.

Not sure what's going on. Just to make sure that I can upload certs though
I did try to load Thawte's root cert from www.thawte.com and that works.

Bhavna

Irving Reid wrote:

We finally got a chance to do some testing with the trial SSL certificate
service from Baltimore (http://www.baltimore.com/servercert/ssltrial.asp).
This service gives out certificates suitable for use in many of the current
SSL-enabled web servers (IIS, iPlanet, Apache/mod-ssl, Domino, ...). We were
able to obtain certificates from this service and successfully set up SAML
relationships, testing against our own software.

The certificates are signed by a private root, so we will need to pre-load
the root into all the browsers we're using for the demo. Short of everyone
paying for real web server certificates, I think this is the best we can do.

It's pretty easy to get certs from this service, as long as you can generate
a PEM-format PKCS#10 certificate request. The web page has instructions for
doing this for all the major web servers. I also have some scripts to use
OpenSSL to generate the keys and create the PKCS#10 request; these are handy
if your system is can import PKCS#12 bundles (containing both the private
key and the certificates).

As I said, Baltimore's implementation works with these certificates;
however, I'm nervous about whether everybody else will be OK. There are so
many different flags and certificate extensions, and various implementations
have been known to require some really oddball things in order to work.

I've been trying to get a portable CA set up, so that if the Baltimore trial
certs don't work, we can switch over to using the portable CA with a private
root. Unfortunately, I'm on the road this week and it's not ready to roll
yet, so I won't have much opportunity to test it before next week. The idea
would be that we can put the portable CA on one of the routed IP addresses
at RSA during the dry run, so that people on the west coast can get at it;
in between the dry run and the show, I can make it available on a Baltimore
routed IP address.

Here's what OpenSSL tells me about the Baltimore trial certificates. The
first one is the SSL server cert, and the second is the private root
certificate for the CA.

C:\openssl>openssl x509 -in saml-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2928 (0xb70)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root
        Validity
            Not Before: Jun  9 22:01:29 2002 GMT
            Not After : Jul  9 22:01:29 2002 GMT
        Subject: O=SAML Demo, CN=saml.nevex.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:dd:37:9b:0b:0f:9b:d6:27:53:68:f0:0f:c8:3b:
                    3b:32:62:76:60:e7:d3:6e:c6:26:f0:85:3f:31:9e:
                    9b:d2:6a:da:4d:0d:67:18:97:c5:05:99:75:17:d5:
                    a2:79:77:f5:c3:84:a6:e0:c0:2d:57:cc:3f:2c:28:
                    20:13:81:9f:2d:a9:16:38:c3:d2:6d:53:04:11:81:
                    e4:a3:e1:ea:76:71:55:e2:77:ad:4a:04:3a:ea:d3:
                    31:ba:bb:1a:e6:aa:b6:6a:02:c2:6c:48:a1:66:9d:
                    1f:c7:af:f2:39:49:f5:74:8e:84:e7:bc:29:2e:63:
                    cd:e8:de:f4:39:79:3c:3c:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            X509v3 Key Usage:
            Key Encipherment
            Netscape Cert Type:
            SSL Server
    Signature Algorithm: md5WithRSAEncryption
        04:89:40:38:3c:7a:37:1f:13:1c:55:11:6d:85:69:ae:f4:51:
        8f:31:5b:fb:28:2b:a9:db:19:45:0e:13:5b:aa:18:af:5f:c3:
        8a:fc:5d:30:65:55:03:dc:ff:59:a1:33:47:2a:17:de:84:58:
        59:ba:bd:4a:7d:cb:4b:05:c6:51:69:96:c6:f9:f9:c8:08:cd:
        4a:23:ef:83:74:3a:a3:53:56:cb:91:5a:ec:5e:f3:7e:1c:43:
        0c:13:6c:e1:98:a7:68:9b:29:3a:b6:9e:89:a1:5e:10:ec:06:
        b4:9c:24:b5:08:62:2a:73:3c:0b:12:14:a6:03:e4:7e:cd:70:
        a3:37

C:\openssl>openssl x509 -in samlca-cert.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 33554739 (0x2000133)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root
        Validity
            Not Before: Oct  6 20:46:00 2000 GMT
            Not After : Oct  6 23:59:00 2002 GMT
        Subject: C=US, O=Baltimore Technologies, CN=Baltimore Trial Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b3:87:fc:b4:5f:59:82:23:e8:d6:12:fa:41:fb:
                    7d:6d:f4:3b:b6:4e:e2:3d:ce:78:22:a0:89:44:56:
                    b9:3b:3b:73:35:9a:1f:14:59:d0:28:76:09:de:67:
                    7f:69:d0:0c:ef:11:a5:cc:27:b6:12:53:f4:35:1c:
                    71:8a:e0:8e:5b:7e:ff:40:d9:80:21:79:10:34:94:
                    43:43:09:f1:ed:b8:b8:ea:58:35:2c:7d:04:35:f6:
                    dd:b0:11:20:80:96:dd:31:a5:95:55:20:17:0d:25:
                    c4:b2:99:9f:f7:0e:fb:f3:d7:3e:b3:1d:e3:d1:dd:
                    37:79:c8:12:01:37:8d:40:4f
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        8b:72:9c:a2:57:06:74:c8:9a:83:31:ce:b7:d3:cd:56:51:3e:
        96:62:a0:81:04:d5:93:8a:a2:ed:e0:0a:1e:8e:da:a3:d1:d2:
        2e:eb:71:aa:91:77:b5:b2:35:50:81:71:67:b4:33:0d:05:5a:
        bf:d6:ca:1a:4c:ab:28:7f:ff:a1:f4:d3:a4:74:19:ca:e4:b6:
        c2:0d:a8:1e:c3:1f:0d:4c:12:de:4a:77:dc:9d:5c:62:9d:fa:
        43:a4:97:3c:5c:5c:e0:9e:2e:7d:0c:40:d9:5c:3c:f9:3d:d2:
        a6:83:d0:94:ee:e4:d9:24:e4:da:ab:b8:ec:8b:18:94:32:63:
        fd:18

 - irving -

-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorised use, disclosure, copying or alteration of this message is
strictly forbidden. Baltimore Technologies plc will not be liable for
direct, special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.

This footnote confirms that this email message has been swept for Content Security threats, including
computer viruses.

http://www.baltimore.com
 

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

-- 
________________________________________________________________________ 
Bhavna Bhatnagar                                Sun Microsystems Inc.            
Identity Management group        __o
Tel: 408-276-3591              _`\<,_   
                              (*)/ (*)
 ________________________________________________________________________
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC