CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: certificate questions

Wesley Craig wrote:

On 15 Sep 2005, at 11:55, Will Jaynes wrote:

SSLSocketFactory = Untrusted Server Certificate Chain

So the cosign filter isn't able to connect to the cosign server due to some problem with the certificate.

I don't have any Java experience, but searching for your error in Google, I found this: msg00393.html

Does this help?


ps I'd ignore the "bone in my nose" suggestion. :)

Yes, thank you, it did help. Evidently java's keytool *is* rather picky. Evidently, when I first created the keypair, since I didn't indicate an alias, it was stored as a self-signed cert with an alias of "mykey". I then imported the umwebCA cert. That went fine. When I got back the signed cert from umweb, I imported it into the keystore, but I gave it an alias. Evidently, this was the wrong thing to do, since it created a new cert in the keystore rather than replacing the original keypair cert.

What I should have done to make it work first time was

1) create a new keystore and a keypair
keytool -genkey -keystore keystore -alias MyNewAlias -keyalg "RSA"
2) generate a certificate signing request
keytool -certreq -keystore keystore -alias MyNewAlias -keyalg "RSA" -file
3) send the file to um's webmaster
4) import the um CA cert. it's in the cosign distribution called umwebCA.pem.
keytool -import -keystore keystore -keyalg "RSA" -alias umweb -file umwebCA.pem
5) import the signed certificate that I got back from umweb
keytool -import -keystore keystore -keyalg "RSA" -alias MyNewAlias -file returned.certificate.cer

I don't know if the -keyalg "RSA" is actually necessary, but it was part of the directions in the JavaCosign source code.

Thanks for the help,

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010