OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [saml-dev] Welcome to Crazy Irving's 24 Hour Certificate Depot!


Irving,
First of all thanks for staying up so late. Regarding the cert request, I had generated
it using the "Generate certificate request" option of iPlanet webserver. Since the machine I
had generated it from is already in private netwrok I could not directly send  mail
from there, I sent you the /tmp/mail* file the server stores of the request ( that's
why you see all the text details on top ).
I am not very cert savvy but have'nt come across any import PKCS12 option in the
server. I think I will need a TEXT file with a cert to install it, unless someone is also
using iPlanet webserver and knows of some other way. If it helps attaching
another request and also pasting it here:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBxjCCAS8CAQAwgYUxCzAJBgNVBAYTAnVzMRMwEQYDVQQIEwpjYWxpZm9ybmlh
MRQwEgYDVQQHEwtTYW50YSBjbGFyYTEZMBcGA1UEChMQU3VuIE1pY3Jvc3lzdGVt
czEXMBUGA1UECxMOSWRlbnRpdHkgZ3JvdXAxFzAVBgNVBAMTDnBvcnRhbC5zdW4u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAMrhtOxxFKjdsSXgt/0uZ
U51B2s/pDCn9H15pAnwlDy4zNEr6BmYHBgq1JFIk0pXy50LDbSx27S7iJwA7MjDl
dix+tBocYHvOkmCse820tdOvo666MgdEuS9q0aA+ESr6GUWj+o0PlmTArS3N1CH7
BysLS/jH4QiNeCW3zSAchwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAT7x0v8ET
KQhuBn2WGBGoDk0r8VttZ3GHj+wz7m3nfuUHedoysuYIIkXBOX6FxTyb+eWxKBtN
E4GOpNN+aF/NhClEoKNRrR0LKsmUQbQJt9wSBg+K4DElD7T++AdxTwQF04Pe+VCX
fdh5kPQ6qwP6ZoF5xzfRKdEiQ897iaavA0o=
-----END NEW CERTIFICATE REQUEST-----

Thanks

Bhavna
 

Irving Reid wrote:

At prices like these, you'll want one for the house and the car! And, even
better, the first n customers receive a free set of Ginsu private keys!

(I really need to get more sleep when I'm on the road...)

First, some background. Owners of major domain names (like, say, ibm.com or
sun.com) can get really snippy if they think you're issuing certificates
that could be used to set up fake web servers and trick people into thinking
they're official company property. This is something I hadn't really thought
of before this week, or I'd have suggested we take a different approach to
host naming.

For that reason, I've taken a few steps. First, the CA cert says "OASIS SAML
Demo" all over, and doesn't chain to a real trusted root. Second, I've set
the certificate lifetime on the issued certs to 60 days, so even if they
escape they won't last too much past the demo. Third, I'm overriding the OU
and O fields in your certificate requests and replacing them with "O=OASIS
SAML Demo". I'm comfortable with this as being clear enough that we can't be
blamed if someone clicks past one of these certs.

The next thing I did was override the extensions in your requests. According
to the Baltimore PKI expert who helped me get my CA set up, there's no harm
(in our environment) with having more extensions than you really need in
your certs. So, I'm issuing everybody's certs with the works - Netscape SSL
client and server, everybody else's SSL client and server, and signing (for
S/MIME).

So, with that, I've attached the first batch. I've done everybody both as a
binary (DER) format .p7b file (PKCS#7), and as a text PEM format x509
certificate - it's the same cert, just in different output formats.

There were two vendors I had trouble with.

The Crosslogix requests were for DSA keys; I'm only set up to do RSA right
now. RSA is the safe choice for SSLv3.

I'm getting error messages that I don't understand when I try to process the
Sun request. I've attached an OpenSSL dump of the request, in case anyone
else can spot something strange, but to my eye the request seems fine. I
tried reformatting it a few different ways, but no luck. I'll pass it on to
my expert, but it would help to know how you generated it. In the mean time,
can you import a PKCS#12 bundle with server-generated keys? I can build a
keypair from scratch, certify it, send you the .p12, and phone you with the
passphrase to unlock the private key.

The attached .zip file includes all the requests I have so far, and the
certificates I was able to produce. The successful contestants are, in no
particular order,

Novell
Oblix
Baltimore
Sigaba
IBM
Entegrity
ePeople

 - irving -
 

-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorised use, disclosure, copying or alteration of this message is
strictly forbidden. Baltimore Technologies plc will not be liable for
direct, special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.

This footnote confirms that this email message has been swept for Content Security threats, including
computer viruses.

http://www.baltimore.com
 

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.

  ------------------------------------------------------------------------
                                 Name: SAML Demo Certificates.zip
   SAML Demo Certificates.zip    Type: Zip Compressed Data (application/x-zip-compressed)
                             Encoding: BASE64

-- 
________________________________________________________________________ 
Bhavna Bhatnagar                                Sun Microsystems Inc.            
Identity Management group        __o
Tel: 408-276-3591              _`\<,_   
                              (*)/ (*)
 ________________________________________________________________________
 
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBxjCCAS8CAQAwgYUxCzAJBgNVBAYTAnVzMRMwEQYDVQQIEwpjYWxpZm9ybmlh
MRQwEgYDVQQHEwtTYW50YSBjbGFyYTEZMBcGA1UEChMQU3VuIE1pY3Jvc3lzdGVt
czEXMBUGA1UECxMOSWRlbnRpdHkgZ3JvdXAxFzAVBgNVBAMTDnBvcnRhbC5zdW4u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAMrhtOxxFKjdsSXgt/0uZ
U51B2s/pDCn9H15pAnwlDy4zNEr6BmYHBgq1JFIk0pXy50LDbSx27S7iJwA7MjDl
dix+tBocYHvOkmCse820tdOvo666MgdEuS9q0aA+ESr6GUWj+o0PlmTArS3N1CH7
BysLS/jH4QiNeCW3zSAchwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAT7x0v8ET
KQhuBn2WGBGoDk0r8VttZ3GHj+wz7m3nfuUHedoysuYIIkXBOX6FxTyb+eWxKBtN
E4GOpNN+aF/NhClEoKNRrR0LKsmUQbQJt9wSBg+K4DElD7T++AdxTwQF04Pe+VCX
fdh5kPQ6qwP6ZoF5xzfRKdEiQ897iaavA0o=
-----END NEW CERTIFICATE REQUEST-----


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC