shibboleth-dev - Re: AA encountering old cert......
Subject: Shibboleth Developers
List archive
- From: Walter Hoehn <>
- To:
- Cc:
- Subject: Re: AA encountering old cert......
- Date: Thu, 15 Jul 2004 21:05:57 -0500
Hi Steven,
It is your directory server certificate that is expired. Below is a dump of that certificate that it is presenting.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
69:49:41:ed:d7:63:22:5c:af:4b:82:7b:5c:78:32:35
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
Validity
Not Before: Jul 9 00:00:00 2002 GMT
Not After : Jul 8 23:59:59 2004 GMT
Subject: C=US, ST=Rhode Island, L=Providence, O=Brown University, OU=CIS, CN=directory.cis-qas.brown.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a6:0c:5e:3f:7f:7e:a8:38:15:54:5f:f8:ee:ee:
7b:f4:15:64:7b:de:34:d7:28:34:cd:a0:55:b3:06:
82:83:ac:3a:d2:fd:51:74:f2:3e:66:53:6a:3f:03:
73:6c:40:4a:0f:ea:8f:41:99:3b:f8:42:c4:14:a5:
a2:07:5b:b4:98:2f:57:d0:50:8d:40:22:63:b6:79:
22:48:b5:38:d9:05:c6:bb:04:d6:f2:ac:9b:98:5f:
88:60:fe:f0:b4:13:52:f5:35:b9:04:1f:94:c6:88:
c9:41:1c:ed:69:ce:0d:2a:49:fd:9b:12:87:e6:b6:
54:a7:04:7a:02:83:85:75:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.verisign.com/RSASecureServer.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
2.16.840.1.113733.1.6.15:
..001785542
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
Signature Algorithm: sha1WithRSAEncryption
17:61:bd:48:c1:c7:67:b6:a1:8a:55:4e:e6:46:e0:2b:a2:b6:
6f:97:66:b4:d9:04:03:04:36:d1:3a:83:e9:46:4f:81:35:0f:
db:bc:d5:38:ba:31:9c:84:d4:5b:2f:7b:47:ef:9a:4e:ab:10:
cc:ef:7f:c4:81:cb:eb:a9:00:61:26:3c:d6:f0:ad:a2:21:ef:
52:97:98:ae:f1:f2:b3:47:f7:a5:2d:d8:57:a9:3f:79:48:1a:
49:8b:28:3e:b5:5d:dd:17:b6:19:76:7a:5c:dc:e1:16:89:4f:
91:02:74:08:c0:46:2d:cd:a8:64:86:20:6e:bb:ce:49:00
-----BEGIN CERTIFICATE-----
MIIDezCCAuigAwIBAgIQaUlB7ddjIlyvS4J7XHgyNTANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDIwNzA5MDAwMDAwWhcNMDQwNzA4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMx
FTATBgNVBAgTDFJob2RlIElzbGFuZDETMBEGA1UEBxQKUHJvdmlkZW5jZTEZMBcG
A1UEChQQQnJvd24gVW5pdmVyc2l0eTEMMAoGA1UECxQDQ0lTMSQwIgYDVQQDFBtk
aXJlY3RvcnkuY2lzLXFhcy5icm93bi5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAKYMXj9/fqg4FVRf+O7ue/QVZHveNNcoNM2gVbMGgoOsOtL9UXTyPmZT
aj8Dc2xASg/qj0GZO/hCxBSlogdbtJgvV9BQjUAiY7Z5Iki1ONkFxrsE1vKsm5hf
iGD+8LQTUvU1uQQflMaIyUEc7WnODSpJ/ZsSh+a2VKcEegKDhXX5AgMBAAGjggEQ
MIIBDDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDA8BgNVHR8ENTAzMDGgL6Athito
dHRwOi8vY3JsLnZlcmlzaWduLmNvbS9SU0FTZWN1cmVTZXJ2ZXIuY3JsMEQGA1Ud
IAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
GQYKYIZIAYb4RQEGDwQLFgkwMDE3ODU1NDIwNAYIKwYBBQUHAQEEKDAmMCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wDQYJKoZIhvcNAQEFBQAD
fgAXYb1IwcdntqGKVU7mRuArorZvl2a02QQDBDbROoPpRk+BNQ/bvNU4ujGchNRb
L3tH75pOqxDM73/EgcvrqQBhJjzW8K2iIe9Sl5iu8fKzR/elLdhXqT95SBpJiyg+
tV3dF7YZdnpc3OEWiU+RAnQIwEYtzahkhiBuu85JAA==
-----END CERTIFICATE-----
On Jul 15, 2004, at 9:01 PM,
wrote:
I've got an origin on an older machine, using a cert obtained about a year ago, I'm suddenly getting this message in my origin log:
2004-07-15 20:03:11,046 ERROR [AA] Core - Failed to startup directory context: javax.naming.CommunicationException: simple bind failed: directory.cis-qas.brown.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Jul 08 19:59:59 EDT 2004]
2004-07-15 20:03:11,049 WARN [AA] Core - Skipping PlugIn: directory
I would have assumed, tho, that the ldap server returned this cert.... I wouldn't have expected the java libraries to be presenting a client cert.....
however,
/usr/local/bin/ldapsearch -H ldaps://directory.cis-qas.brown.edu/ -b "dc=brown,dc=edu" -D "cn=stc_query,ou=special users,dc=brown,dc=edu" -w PASS brownnetid=steven_carmody
does work....altho the ldapsearch doc makes no mention of ssl support....
so... which cert has expired?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- AA encountering old cert......, Steven_Carmody, 07/15/2004
- RE: AA encountering old cert......, Scott Cantor, 07/15/2004
- Re: AA encountering old cert......, Walter Hoehn, 07/15/2004
Archive powered by MHonArc 2.6.16.