Found the needle in the haystack:
chain [0] = [
[
Version: V3
Subject: CN=*.uni.edu, OU=Information Technology Services -
Information Systems, O=University of Northern Iowa, L=Cedar Falls,
ST=Iowa, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunPKCS11-Solaris RSA public key, 1024 bits (id 18375032, session object)
modulus:
150252834723561447967415045547110642718186254487638106274530683717502202186242739986401301532067909257705376376731702670798392352220276069305613608914222704280715074880254729626699122945560042771374711093102394381214967841639350759335294151180419448599809918344003825320472445869538730864301794080354316670753
public exponent: 65537
Validity: [From: Tue Jun 02 19:00:00 CDT 2009,
To: Fri Aug 06 18:59:59 CDT 2010]
Issuer: CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 03e6c037 e13346ac 82383d90 45d19d35]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.digicert.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://www.digicert.com/CACerts/DigiCertGlobalCA.crt]
]
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: accesstest.uni.edu
DNSName: zany.admin.uni.edu
DNSName: accessstage.uni.edu
DNSName: sage.admin.uni.edu
DNSName: uni.edu
DNSName: *.uni.edu
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A7 C7 13 A0 7A 01 3C 9D EF 82 48 82 48 D5 73 51 ....z.<...H.H.sQ
0010: B6 12 56 2A ..V*
]
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 82 5E F6 7D C8 64 CA EE C5 5E 5F 67 5F DC 18 15 .^...d...^_g_...
0010: 57 EC DB F1 W...
]
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.3.0.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2E 68 74 74 70 3A 2F 2F 77 77 77 2E 64 69 67
..http://www.dig
0010: 69 63 65 72 74 2E 63 6F 6D 2F 73 73 6C 2D 63 70 icert.com/ssl-cp
0020: 73 2D 72 65 70 6F 73 69 74 6F 72 79 2E 68 74 6D s-repository.htm
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 82 01 56 1E 82 01 52 00 41 00 6E 00 79 00 20
0..V...R.A.n.y.
0010: 00 75 00 73 00 65 00 20 00 6F 00 66 00 20 00 74 .u.s.e. .o.f. .t
0020: 00 68 00 69 00 73 00 20 00 43 00 65 00 72 00 74 .h.i.s. .C.e.r.t
0030: 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 .i.f.i.c.a.t.e.
0040: 00 63 00 6F 00 6E 00 73 00 74 00 69 00 74 00 75 .c.o.n.s.t.i.t.u
0050: 00 74 00 65 00 73 00 20 00 61 00 63 00 63 00 65 .t.e.s. .a.c.c.e
0060: 00 70 00 74 00 61 00 6E 00 63 00 65 00 20 00 6F .p.t.a.n.c.e. .o
0070: 00 66 00 20 00 74 00 68 00 65 00 20 00 44 00 69 .f. .t.h.e. .D.i
0080: 00 67 00 69 00 43 00 65 00 72 00 74 00 20 00 43 .g.i.C.e.r.t. .C
0090: 00 50 00 2F 00 43 00 50 00 53 00 20 00 61 00 6E .P./.C.P.S. .a.n
00A0: 00 64 00 20 00 74 00 68 00 65 00 20 00 52 00 65 .d. .t.h.e. .R.e
00B0: 00 6C 00 79 00 69 00 6E 00 67 00 20 00 50 00 61 .l.y.i.n.g. .P.a
00C0: 00 72 00 74 00 79 00 20 00 41 00 67 00 72 00 65 .r.t.y. .A.g.r.e
00D0: 00 65 00 6D 00 65 00 6E 00 74 00 20 00 77 00 68 .e.m.e.n.t. .w.h
00E0: 00 69 00 63 00 68 00 20 00 6C 00 69 00 6D 00 69 .i.c.h. .l.i.m.i
00F0: 00 74 00 20 00 6C 00 69 00 61 00 62 00 69 00 6C .t. .l.i.a.b.i.l
0100: 00 69 00 74 00 79 00 20 00 61 00 6E 00 64 00 20 .i.t.y. .a.n.d.
0110: 00 61 00 72 00 65 00 20 00 69 00 6E 00 63 00 6F .a.r.e. .i.n.c.o
0120: 00 72 00 70 00 6F 00 72 00 61 00 74 00 65 00 64 .r.p.o.r.a.t.e.d
0130: 00 20 00 68 00 65 00 72 00 65 00 69 00 6E 00 20 . .h.e.r.e.i.n.
0140: 00 62 00 79 00 20 00 72 00 65 00 66 00 65 00 72 .b.y. .r.e.f.e.r
0150: 00 65 00 6E 00 63 00 65 00 2E .e.n.c.e..
]] ]
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/DigiCertGlobalCA-2009g.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/DigiCertGlobalCA-2009g.crl]
]]
[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: A6 08 8E C8 79 FF D9 41 15 BB A4 05 B4 22 BA 06 ....y..A....."..
0010: 33 FC 34 59 C4 74 9A 98 AC 64 43 F9 C1 F0 D0 7E 3.4Y.t...dC.....
0020: B6 73 1D 21 B9 8F 6A 4C 79 70 4A E1 70 E5 89 34 .s.!..jLypJ.p..4
0030: FB E2 7E 67 2B 1A 73 23 74 D8 08 08 A3 69 9D 94 ...g+.s#t....i..
0040: 1B C8 0F D1 67 E2 44 4C 01 36 00 92 76 95 A5 23 ....g.DL.6..v..#
0050: 9B 9B 39 63 21 1E 91 C3 7E C4 DE 9F 15 D2 48 27 ..9c!.........H'
0060: 4F 4D 43 AB FE 30 1F 9F 99 7E CA 03 F6 EC DC CF OMC..0..........
0070: 74 FF BE 0E 92 AF 0A 1A DA 94 73 CA 0B 76 75 E4 t.........s..vu.
0080: 5D E8 EA 51 D4 F3 50 C8 E2 35 3D A1 78 3E B5 87 ]..Q..P..5=.x>..
0090: FA F0 B7 A7 9E 40 2E 15 CD AE 9E 79 B5 04 F4 AC [email protected]....
00A0: 97 57 3C 1A AD 22 26 CD 73 28 91 AC D8 3D BF DA .W<.."&.s(...=..
00B0: AC DB 2A F4 1E 8B 44 10 0A A6 4B A0 94 3E 50 C5 ..*...D...K..>P.
00C0: E6 9A 8F 96 1E F1 42 34 47 D8 E2 45 69 B0 2D FF ......B4G..Ei.-.
00D0: 1E 14 26 EF D8 41 B1 E1 94 E7 F2 55 75 F5 60 F1 ..&..A.....Uu.`.
00E0: 73 EC D3 89 45 3E 2E F5 D9 A5 A8 C3 BF D9 88 D5 s...E>..........
00F0: 50 A1 40 13 C0 A6 43 F0 81 58 E2 05 FB FE 00 CA [email protected]......
]
That's the cert chain immediately before the PKIX validation error.
The chain appears truncated since in the previous SSL/TLS handshakes
in the log, the full chain from *.uni.edu down to entrust is shown.
Hopefully knowing you're not sending the full chain in some cases is
enough of a hint to point you in the right direction.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
