[saml-dev] URGENT: A "plan" for the CA... Instructions for obtainingthe cer ts

["Philpott, Robert" <rphilpott@rsasecurity.com>]

Hello all - I just got off the phone with Irving and also had some mail from him this morning with the following:

 

>In the mean time, I'm having a bit of a breakthrough on the portable PKI side - one of >the guys I'm here with has installers for our CA, and is helping me get things set up, >so I'll definitely have a private-root CA we can use.

 

As some may know, there are problems using the public CA at Baltimore, so based on the success Irving is now having, we have decided to NOT have folks try to use the public one. Irving will have this private CA working today. 

 

If everyone can email Irving your PKCS-10 cert request, he will use his private CA to create the certs and get them back to you.  For requests that he receives today, he believes he can process them tonight.  Tomorrow, he has several hours on a layover in Chicago during which he will check email for requests to process.  When he gets back home, he'll put his CA up on a public Baltimore address and folks will be able to request the certs directly from there over the weekend.  He'll need to take the CA down Sunday night in order to pack up for travel to Boston.  We will still put this CA up on a routable address during the RSA hosted dry run.

 

It is unfortunate that the Sun dry run participants will not have direct general internet access.  However, if someone at Sun can arrange for even just one system to have internet access, then we think we can still make this work.  Worst case is that folks will need to generate their requests, put them on a floppy, and take them to that system and then either email them to Irving or request them directly from this CA once it's up on the RSA network.  You'll get the certs back and you can sneakernet them to the dry run systems.

 

Don, Bhavna - will it be possible to even get access for 1 system somehow? Perhaps from someone's nearby office?

 

Don, I would STILL recommend setting up a local CA at the Sun dry run JUST IN CASE we can't get the above to work.  It's preferable to use a common CA, but using one at Sun and one at RSA would be impossible - it's just more roots for everyone to import.

 

For those that want to get thir certs before the weekend, as I said, create the cert request and email it to Irving.  When you send him the request, please make sure to indicate the cert usage you want (i.e. server? client? both? other such as signing email?) The instructions for creating the cert requests are on the public Baltimore site at:

http://www.baltimore.com/servercert/ssltrial.asp

 

In the middle of the page are links with explicit instructions for requesting certs for the most popular servers - when I first looked at this page, I didn't realize the items in the list were actually links - they don't show up as links until you mouse-over the text.  Here they are for your convenience.  Note that even though the Microsoft link says IIS 3.0-4.0, there are also instructions on that page for IIS 5.0

Generating a Key Pair and CSR Instructions

• Netscape Enterprise Server 2.0.1-3.5.1
• Microsoft Internet Information Server 3.0-4.0
• C2 Net Stronghold Web Server (Apache) 2.1
• Lotus Domino Go Web Server 4.6

I think that's about it.  If anyone has a major problem or questions, I recommend posting to the list or in an emergency try calling Irving on his cell phone at +1 416 877 3815

 

Cheers!

 

Rob Philpott

RSA Security Inc.

The Most Trusted Name in e-Security

Tel: 781-515-7115

Mobile: 617-510-0893

Fax: 781-515-7020

mailto:rphilpott@rsasecurity.com