Re: Self signed certificates?

[kevin mcgowan <clunis@xxxxxxxxx>]

Cosignd needs to be able to verify the certificate and its signer.  
Self-signed certs do not work with Cosign.  It is possible, though, to 
generate your own CA certificate using openssl and use it to sign 
certificates for testing.  We actually use a local CA for many of our 
production cosign certs.  Setting up a CA with openssl is actually 
quite straightforward:

    http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml

If you send me a CSR directly I'd be happy to bring up a CosignTest CA 
and sign it for you.

On Apr 2, 2004, at 9:03 PM, Raymond W. Lucke IV wrote:

> Hi,
>
> I am trying to set up my own cosign server and login server, and am 
> trying to make it work with a self-signed certificate for now. I am 
> wondering what it takes for me to get this to work. It would seem that 
> nothing I try seems to work. I get the following error:
>
> snet_starttls: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
> failedcosign_choose_conn: no connection to servers.
>
> I read in your documentation that SSL errors are some of the most 
> difficult, and I have tried just about every variant of self signing I 
> could do. Sorry if what I am asking sounds vague.
>
> And even when I go to get a certificate signed by a Thawte or 
> somebody, is that something that really is beneficial?

Thawte, VeriSign and 2-year Comodo certs should all work.  Entrust 
certs do not have client capabilities so they do not work.  If you use 
a commercially signed cert (or a cert signed by your own CA, for that 
matter) you just need to make sure that a copy of the CA cert is in 
cosign's CA directory (on both the client & server) and that you've run 
c_rehash on that directory.

Kevin