	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: certificate questions

To: cosign-discuss@xxxxxxxxx
Subject: Re: certificate questions
From: Will Jaynes <jaynes@xxxxxxxxx>
Date: Thu, 15 Sep 2005 15:01:01 -0400
In-reply-to: <944B26FE-62CC-4E59-82AA-91DE634955B7@umich.edu>
References: <43286F47.2000909@umich.edu> <20FEFD93-B4FA-4D53-9D02-A9B1D48F2429@umich.edu> <4329698C.20900@umich.edu> <43298D65.2000107@psu.edu> <43299969.8020007@umich.edu> <944B26FE-62CC-4E59-82AA-91DE634955B7@umich.edu>
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Wesley Craig wrote:

On 15 Sep 2005, at 11:55, Will Jaynes wrote:

SSLSocketFactory = com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl@71edc0 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain

So the cosign filter isn't able to connect to the cosign server due to some problem with the certificate.

I don't have any Java experience, but searching for your error in Google, I found this:

http://www.umich.edu/~umweb/software/cosign/cosign-discuss/ msg00393.html

Does this help?

:wes

ps I'd ignore the "bone in my nose" suggestion. :)

Yes, thank you, it did help. Evidently java's keytool *is* rather picky. Evidently, when I first created the keypair, since I didn't indicate an alias, it was stored as a self-signed cert with an alias of "mykey". I then imported the umwebCA cert. That went fine. When I got back the signed cert from umweb, I imported it into the keystore, but I gave it an alias. Evidently, this was the wrong thing to do, since it created a new cert in the keystore rather than replacing the original keypair cert.

What I should have done to make it work first time was

1) create a new keystore and a keypair keytool -genkey -keystore keystore -alias MyNewAlias -keyalg "RSA" 2) generate a certificate signing request keytool -certreq -keystore keystore -alias MyNewAlias -keyalg "RSA" -file my.host.com.csr 3) send the my.host.com.csr file to um's webmaster 4) import the um CA cert. it's in the cosign distribution called umwebCA.pem. keytool -import -keystore keystore -keyalg "RSA" -alias umweb -file umwebCA.pem 5) import the signed certificate that I got back from umweb keytool -import -keystore keystore -keyalg "RSA" -alias MyNewAlias -file returned.certificate.cer

I don't know if the -keyalg "RSA" is actually necessary, but it was part of the directions in the JavaCosign source code.

Thanks for the help,
Will

Follow-Ups:
- Re: certificate questions
  - From: Wesley Craig

References:
- certificate questions
  - From: Will Jaynes
- Re: certificate questions
  - From: johanna bromberg craig
- Re: certificate questions
  - From: Will Jaynes
- Re: certificate questions
  - From: Phil Pishioneri
- Re: certificate questions
  - From: Will Jaynes
- Re: certificate questions
  - From: Wesley Craig

Prev by Date: Re: certificate questions
Next by Date: Re: certificate questions
Previous by thread: Re: certificate questions
Next by thread: Re: certificate questions
Index(es):
- Date
- Thread