	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: certificate questions

To: cosign-discuss Discussion <cosign-discuss@xxxxxxxxx>
Subject: Re: certificate questions
From: Will Jaynes <jaynes@xxxxxxxxx>
Date: Thu, 15 Sep 2005 08:31:08 -0400
In-reply-to: <20FEFD93-B4FA-4D53-9D02-A9B1D48F2429@umich.edu>
References: <43286F47.2000909@umich.edu> <20FEFD93-B4FA-4D53-9D02-A9B1D48F2429@umich.edu>
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Thanks, Johanna,

I created a cert and sent it off to webmaster for signing, and got the returned certificate. Very fast response time. But now I'm having a problem that perhaps people on this list have seen before. Here's the reply I sent to webmaster after encountering the problem: ----- I am having a problem with importing the certificate that you sent to me yesterday. I'm following the instructions found in the README.txt file with the JavaCosign code. I copied and pasted the certificate you sent to me, and saved it to a file. I then tried to import it into the keystore with the following command:

keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file www.umms.med.umich.edu.cer

The error I get is:

keytool error: java.lang.Exception: Failed to establish chain from reply

Do you have an idea what my problem might be?

Thanks, Will

johanna bromberg craig wrote:

since you're at umich, these are our policies//guidelines

1) you're right, the cn is the domain name/hostname, but they don't *have* to match, it is just preferred. The only requirement is that the cn end in umich.edu, feel free to "make up" a hostname.

2) in this case it's the umwebCA, so you should it to webmaster@xxxxxxxxx and ask for a umwebCA signed cert.

-J

On Sep 14, 2005, at 2:43 PM, Will Jaynes wrote:
I'm taking a look at the JavaCosign filter and would like to set it up on my development workstation. The install section of the README.txt file talks about creating a keystore and a certificate and a signing request, and then "Have your CA sign the CSR". This brings up a couple questions for me:

1) The certificate requires a CN. I assume this should be a domain name, and I assume the dn should be that of the machine the certificate will be used on. Are those assumptions correct? My development workstation doesn't have a domain name. It's a DHCP client and only has an IP, and not always the same IP. Is this going to be a problem with regard to the certificate?

2) Who is my CA, and where do I send the CSR to have it signed?
thanks for any info,
Will
!DSPAM:43286f72320518690210016!

Follow-Ups:
- Re: certificate questions
  - From: Phil Pishioneri

References:
- certificate questions
  - From: Will Jaynes
- Re: certificate questions
  - From: johanna bromberg craig

Prev by Date: Re: certificate questions
Next by Date: Re: certificate questions
Previous by thread: Re: certificate questions
Next by thread: Re: certificate questions
Index(es):
- Date
- Thread