	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosignd and multiple CAs

To: johanna bromberg craig <canna@xxxxxxxxx>
Subject: Re: cosignd and multiple CAs
From: Phil Pishioneri <pgp@xxxxxxx>
Date: Fri, 04 Jun 2004 14:13:39 -0400
Cc: Cosign Discussion <cosign-discuss@xxxxxxxxx>
In-reply-to: <E16AF526-B641-11D8-95D1-000A95E48A4E@umich.edu>
References: <40C09DB1.40708@psu.edu> <E16AF526-B641-11D8-95D1-000A95E48A4E@umich.edu>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7) Gecko/20040514

On 6/4/04 12:11 PM, johanna bromberg craig wrote:

We run it this way at Michigan now. :)

We use Verisign, InstantSSL and our umwebCA all together in our current weblogin infrastructure.

Are you running into any issues with this sort of configuration?

While attempting to use a filter cert from the second CA, we're getting this on the cosignd's syslog:

f_starttls: snet_starttls: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

(no other error messages being logged on the server).

At the filter's side, we aren't getting any error messages in the web server's error_log.

If we switch the cert the filter is using to one signed by the first CA (same one that signed the cosignd cert), it works.

The one significant difference between those certs (both CAs are local) is that the 1st has keys of 1024 bit lengths (for both CA and client), the 2nd is using 2048 lengths (for both).

-Phil

Follow-Ups:
- Re: cosignd and multiple CAs
  - From: Phil Pishioneri

References:
- cosignd and multiple CAs
  - From: Phil Pishioneri
- Re: cosignd and multiple CAs
  - From: johanna bromberg craig

Prev by Date: Re: cosignd and multiple CAs
Next by Date: Re: cosignd and multiple CAs
Previous by thread: Re: cosignd and multiple CAs
Next by thread: Re: cosignd and multiple CAs
Index(es):
- Date
- Thread