|

»

»

Certificates

View: New views

5 Messages — Rating Filter: Alert me

	Certificates by Luk VERHOEVEN :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Dear, I use CAS 3.2 with Acegi 1.0.6 and Tomcat 5.5.17. It works all locally with a generated certificate and cn name localhost. But the customer want to test it on the server on their intranet. They use a <host>.domain. Then it shows the invalid certificate error. Is there a solution without an official CA ? Even the free CA’s you must enter a valid e-mail address for the domain (It’s a government), but I’m not the manager of the network it’s an external company. I can execute commands on the server as root only via the external company. It may a solution without SSL, because the LDAP isn’t secure and sends the password as plain text. You’re right it’s bad, but the customer is satisfied with it. We use the CAS server for SSO. Thanx, Luk, _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas
	Re: Certificates by Velpi :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message You can use "your own CA" and use that to sign any certificate when you add that CA's certificate to the truststore (of Tomcat/Java/...). You can even add all the individual certificates to the truststore, though that may be harder to manage. The JAVA truststore is the "cacerts" file in your JRE/JDK installation. you can use keytool to view/modify it. Tomcat uses that by default. You can also specify another truststore-file for a Tomcat connector (see connector docs). You may want to read these commands: http://shib.kuleuven.be/docs/ssl_commands.shtml#keytool Note that you "your own CA"s certificate is quite important. --Velpi Luk VERHOEVEN wrote: > Dear, > > > > I use CAS 3.2 with Acegi 1.0.6 and Tomcat 5.5.17. It works all locally > with a generated certificate and cn name localhost. But the customer > want to test it on the server on their intranet. They use a > <host>.domain. Then it shows the invalid certificate error. Is there a > solution without an official CA ? Even the free CA’s you must enter a > valid e-mail address for the domain (It’s a government), but I’m not the > manager of the network it’s an external company. I can execute > commands on the server as root only via the external company. > > It may a solution without SSL, because the LDAP isn’t secure and sends > the password as plain text. You’re right it’s bad, but the customer is > satisfied with it. We use the CAS server for SSO. > > > > Thanx, > > Luk, > > > ------------------------------------------------------------------------ > > _______________________________________________ > Yale CAS mailing list > cas@... > http://tp.its.yale.edu/mailman/listinfo/cas -- /--------------------------------------------- \| Jan "Velpi" Van der Velpen \| Velpi@... \|\| +32 (0) 498 61 24 89 \--------------------------------------------- _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas
	Re: Certificates by Luk VERHOEVEN :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Am I right ? 1.) I must first create a CA via openssl. 2.) Then I must create a csr via keytool 3.) Then I must sign the csr via openssl 4.) Import the certificate in the cacerts file Thanks, Luk, From: Velpi [mailto:velpi@...] To: Yale CAS mailing list [mailto:cas@...] Sent: Thu, 15 May 2008 11:08:24 +0200 Subject: Re: Certificates You can use "your own CA" and use that to sign any certificate when you add that CA's certificate to the truststore (of Tomcat/Java/...). You can even add all the individual certificates to the truststore, though that may be harder to manage. The JAVA truststore is the "cacerts" file in your JRE/JDK installation. you can use keytool to view/modify it. Tomcat uses that by default. You can also specify another truststore-file for a Tomcat connector (see connector docs). You may want to read these commands: http://shib.kuleuven.be/docs/ssl_commands.shtml#keytool Note that you "your own CA"s certificate is quite important. --Velpi Luk VERHOEVEN wrote: > Dear, > > > > I use CAS 3.2 with Acegi 1.0.6 and Tomcat 5.5.17. It works all locally > with a generated certificate and cn name localhost. But the customer > want to test it on the server on their intranet. They use a > <host>.domain. Then it shows the invalid certificate error. Is there a > solution without an official CA ? Even the free CA’s you must enter a > valid e-mail address for the domain (It’s a government), but I’m not the > manager of the network it’s an external company. I can execute > commands on the server as root only via the external company. > > It may a solution without SSL, because the LDAP isn’t secure and sends > the password as plain text. You’re right it’s bad, but the customer is > satisfied with it. We use the CAS server for SSO. > > > > Thanx, > > Luk, > > > ------------------------------------------------------------------------ > > _______________________________________________ > Yale CAS mailing list > cas@... > http://tp.its.yale.edu/mailman/listinfo/cas -- /--------------------------------------------- \| Jan "Velpi" Van der Velpen \| Velpi@... \|\| +32 (0) 498 61 24 89 \--------------------------------------------- _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas
	Re: Certificates by Velpi :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > Am I right ? 1.) I must first create a CA via openssl. 2.) Then I must > create a csr via keytool 3.) Then I must sign the csr via openssl 4.) > Import the certificate in the cacerts file Thanks, Luk, If in '4' you mean the CA's certificate then yes. more detailed (not tested, but should work): 1) create CA key+cert (preferably a lot more than 365days, certainly more than the validity of the certificate you'll sign with the CA): $ openssl req -new -x509 -out MYCA.cert -keyout MYCA.key -days 1095 -config openssl.cnf 2) create CSR: $ openssl req -nodes -new -x509 -out MYLOCAL.csr -keyout MYLOCAL.key -days 365 -config openssl.cnf 3) sign CSR with my own shiny CA $ openssl x509 -req -in MYLOCAL.csr -CA MYCA.crt -CAkey MYCA.key -CAcreateserial -out MYLOCAL.crt -days 365 4) import certificate in cacerts: $ keytool -import -trustcacerts -alias "MyShinyCA" -file CA.crt -keystore $JAVA_HOME/lib/security/cacerts ("changeit") Then install all certificates and restart the services that use them. It should be nearly copy/paste now ;). Good luck! -- /--------------------------------------------- \| Jan "Velpi" Van der Velpen \| Velpi@... \|\| +32 (0) 498 61 24 89 \--------------------------------------------- _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas
	RE: Certificates by Luk VERHOEVEN :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Dear, Sorry, I must do it because we need a SSO server and has no experience with ssl. I get a fault at point 3.) -----Original Message----- From: cas-bounces@... [mailto:cas-bounces@...] On Behalf Of Velpi Sent: donderdag 15 mei 2008 14:28 To: Yale CAS mailing list Subject: Re: Certificates > Am I right ? 1.) I must first create a CA via openssl. 2.) Then I must > create a csr via keytool 3.) Then I must sign the csr via openssl 4.) > Import the certificate in the cacerts file Thanks, Luk, If in '4' you mean the CA's certificate then yes. more detailed (not tested, but should work): 1) create CA key+cert (preferably a lot more than 365days, certainly more than the validity of the certificate you'll sign with the CA): $ openssl req -new -x509 -out MYCA.cert -keyout MYCA.key -days 1095 -config openssl.cnf 2) create CSR: $ openssl req -nodes -new -x509 -out MYLOCAL.csr -keyout MYLOCAL.key -days 365 -config openssl.cnf 3) sign CSR with my own shiny CA $ openssl x509 -req -in MYLOCAL.csr -CA MYCA.crt -CAkey MYCA.key -CAcreateserial -out MYLOCAL.crt -days 365 22860:error:0906D06C:PEM routines:PEM_read_bio:no start line:/on10/build-nd/G10U 4B0/usr/src/common/openssl/crypto/pem/pem_lib.c:637:Expecting: CERTIFICATE REQUEST I enter the right csr file and for the points before my cn is the hostname.domain. Must I configure something ? ------------------------------------------ 4) import certificate in cacerts: $ keytool -import -trustcacerts -alias "MyShinyCA" -file CA.crt -keystore $JAVA_HOME/lib/security/cacerts ("changeit") Then install all certificates and restart the services that use them. It should be nearly copy/paste now ;). Good luck! -- /--------------------------------------------- \| Jan "Velpi" Van der Velpen \| Velpi@... \|\| +32 (0) 498 61 24 89 \--------------------------------------------- _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas