Shibboleth Users

Text archives Help

Re: Problem with certs

Chronological Thread 
  • From: Francisco Queiros Pinto < >
  • To: Scott Cantor < >, 'Shib Users List' < >
  • Subject: Re: Problem with certs
  • Date: Sun, 27 Feb 2005 00:01:48 +0000

On 25 Feb 2005, at 18:09, Scott Cantor wrote:

Put the CN of the cert in metadata as the HandleService Name.

I didn't manage to do it with the CN only at the metadata entries. I
had to go for the entire DN as I was getting the following
error at the SHAR:

Hi Scott,

Many thanks for your message.

If you had "CN=foo", that's not what I meant. I meant "foo" alone.

Ok, this worked straight away. Thanks for the clarification.

Adding the following element to the IQ-trust.xml:

<KeyAuthority VerifyDepth="0">

This cert is not self-signed, but you have VerifyDepth=0. That can't work.

Yes, you are right. That wasn't a self-signed certificate. I was using the wrong term. What I wanted to say was a certificate signed by our own 'self-signed' CA.

Do I have to add the CA cert to the trust.xml file as well? If yes,

You ONLY add the CA, that's what a KeyAuthority is for. But you said you
wanted to use self-signed certs. That means the server cert IS the CA. What
you have in there is not self-signed, so you're doing something entirely
different from what I was describing.

In this case, assuming that it's possible to use a server certificate signed by a self-signed CA root certificate, do we still use only the CA root certificate in the trust.xml file? If not, what else do I have to have in it?

Not sure about this one. If I'm using a self-signed certificate, what
is the contents of the CA bundle?

But you're NOT using a self-signed cert. At least that's not what you posted

Issuer: O=University of Oxford, OU=SPIE, CN=CA
Subject: C=GB, ST=Oxfordshire, L=Oxford, O=University of Oxford, OU=OUC

See? No match. Not self-signed. Therefore no path validation will work
without the actual CA in the trust file.

Sorry, my mistake when writing the message.

Thanks again for your precious help.


Archive powered by MHonArc 2.6.16.

Top of page