Shibboleth Users

Text archives Help

Re: Problem with certs

Chronological Thread 
  • From: Francisco Queiros Pinto < >
  • To: Scott Cantor < >, 'Shib Users List' < >
  • Subject: Re: Problem with certs
  • Date: Mon, 28 Feb 2005 15:43:20 +0000

On 27 Feb 2005, at 17:42, Scott Cantor wrote:

Hi Scott,

In this case, assuming that it's possible to use a server certificate
signed by a self-signed CA root certificate, do we still use only the
CA root certificate in the trust.xml file? If not, what else
do I have to have in it?

If you're doing path validation with the CA, the whole point is to put the
CA in there by itself. Otherwise you'd just be using a well-known key and
not doing validation. That isn't supported yet for SSL, only for signing.
You have to have a KeyAuthority with the self-signed end of the chain in the
file with a KeyName that will cause it to be matched for that SSL connection

The VerifyDepth has to be at least 1 unless the server cert itself is
self-signed. Depth 0 means no chain.

Precisely what I wanted to do. Many thanks.


Archive powered by MHonArc 2.6.16.

Top of page