Shibboleth Users

Text archives Help


Re: Problem with certs


Chronological Thread 
  • From: Francisco Queiros Pinto < >
  • To: Scott Cantor < >, 'Shib Users List' < >
  • Subject: Re: Problem with certs
  • Date: Sun, 27 Feb 2005 00:01:48 +0000

On 25 Feb 2005, at 18:09, Scott Cantor wrote:

Put the CN of the cert in metadata as the HandleService Name.

I didn't manage to do it with the CN only at the metadata entries. I
had to go for the entire DN as I was getting the following
error at the SHAR:

Hi Scott,


Many thanks for your message.



If you had "CN=foo", that's not what I meant. I meant "foo" alone.

Ok, this worked straight away. Thanks for the clarification.



Adding the following element to the IQ-trust.xml:

---
<KeyAuthority VerifyDepth="0">

This cert is not self-signed, but you have VerifyDepth=0. That can't work.

Yes, you are right. That wasn't a self-signed certificate. I was using the wrong term. What I wanted to say was a certificate signed by our own 'self-signed' CA.



Do I have to add the CA cert to the trust.xml file as well? If yes,
where?

You ONLY add the CA, that's what a KeyAuthority is for. But you said you
wanted to use self-signed certs. That means the server cert IS the CA. What
you have in there is not self-signed, so you're doing something entirely
different from what I was describing.


In this case, assuming that it's possible to use a server certificate signed by a self-signed CA root certificate, do we still use only the CA root certificate in the trust.xml file? If not, what else do I have to have in it?



Not sure about this one. If I'm using a self-signed certificate, what
is the contents of the CA bundle?

But you're NOT using a self-signed cert. At least that's not what you posted
here.

Issuer: O=University of Oxford, OU=SPIE, CN=CA
Subject: C=GB, ST=Oxfordshire, L=Oxford, O=University of Oxford, OU=OUC
, CN=shibboleth.oucs.ox.ac.uk

See? No match. Not self-signed. Therefore no path validation will work
without the actual CA in the trust file.

Sorry, my mistake when writing the message.


Thanks again for your precious help.
Regards,

--
Francisco




Archive powered by MHonArc 2.6.16.

Top of page