Shibboleth Developers

["RL 'Bob' Morgan" <>]

On 5 Jun 2003, Derek Atkins wrote:

> > can you tell if that RSA cert is "the same one" found in standard
> > distributions (eg openssl bundle)?
>
> I do not know.  it's the one labeled:
>
>         <!-- RSA Secure Server CA -->
>
> in the trust.xml file.  It parses fine into an x509 object but
> OpenSSL fails to add it to the keystore.  I don't know why --
> I don't have a debugging-build of openssl lying around.

I bet it's because it's exactly the same cert as the one earlier in the
file called "Verisign/RSA Secure Server CA", so it probably barfs when
trying to add two roots with the same issuer/subject/etc.

Turns out my other problem was that while trying to test various CA
approaches I had left, in the perq target trust.xml file, the
shib.cac.washington.edu-specific key in its own KeyAuthority section, but
of course having changed the actual cert/key being used by the shib HS,
this caused validation to fail using that key.  I don't know if we'd
expect the shar to keep trying to validate the assertion after the
specific key it had for that HS failed; I suppose so.  So, anyway, I
removed that and got an "untrusted HS" error or something like that.

Based on Derek's discovery I figured I could just remove the duplicate RSA
cert from the trust.xml file on perq and it would start to work ...  and
indeed it did.  So hey.  I tried with a minimal trust.xml that only
includes the UW CA certifying the incommon:pilot, and that works too.

So, that wasn't so hard ... sigh.

 - RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--