Shibboleth Users

Text archives Help


RE: Problem with certs


Chronological Thread 
  • From: "Scott Cantor" < >
  • To: "'Francisco Queiros Pinto'" < >, "'Shib Users List'" < >
  • Subject: RE: Problem with certs
  • Date: Fri, 25 Feb 2005 13:09:43 -0500
  • Organization: The Ohio State University

> > Put the CN of the cert in metadata as the HandleService Name.
>
> I didn't manage to do it with the CN only at the metadata entries. I
> had to go for the entire DN as I was getting the following
> error at the SHAR:

If you had "CN=foo", that's not what I meant. I meant "foo" alone.

> Adding the following element to the IQ-trust.xml:
>
> ---
> <KeyAuthority VerifyDepth="0">

This cert is not self-signed, but you have VerifyDepth=0. That can't work.

> Do I have to add the CA cert to the trust.xml file as well? If yes,
> where?

You ONLY add the CA, that's what a KeyAuthority is for. But you said you
wanted to use self-signed certs. That means the server cert IS the CA. What
you have in there is not self-signed, so you're doing something entirely
different from what I was describing.

> Not sure about this one. If I'm using a self-signed certificate, what
> is the contents of the CA bundle?

But you're NOT using a self-signed cert. At least that's not what you posted
here.

Issuer: O=University of Oxford, OU=SPIE, CN=CA
Subject: C=GB, ST=Oxfordshire, L=Oxford, O=University of Oxford, OU=OUC
, CN=shibboleth.oucs.ox.ac.uk

See? No match. Not self-signed. Therefore no path validation will work
without the actual CA in the trust file.

As I was discussing in email, technically path validation is supposed to
work even if the trust root is not self-signed. OpenSSL does not allow this.
Therefore the code doesn't, yet anyway.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of page