Hi everyone,
I have a question regarding certificates and in particular what certificate
should be provided to a service provider. I admit that I know very little
about how certificates work, so please bear with me.
For my CAS instance, I've created my own Certificate Authority which I'm
using to make a self-signed certificate. I've created a keystore with my
certificate, CA, and key, which I'm providing to Tomcat in the server.xml.
This lets me access tomcat and the CAS server over HTTPS.
Next, I have a php application which I've CASified with phpCAS. I'm calling
*phpCAS::setCasServerCACert($cas_server_ca_cert_path)* to enable
certificate checking. Where I'm confused is that in the sample *config.php*,
there is a comment saying that the certificate path is the "path to the ca
chain that issued the cas server certificate". This led me to believe that
I should give it my Certificate Authority, *ca.crt*. However,
authentication failed and the logs reported CURL error #60, SSL Certificate
Problem. Instead I tried giving it the actual certificate that I created, *
cas.crt*. Doing so, authentication works just fine. But AFAIK, *cas.crt* is
just the certificate that the cas server uses, which is public. If this is
the case, I don't see how it affords any extra security to have the SP
check the identical certificate against the server. I would have thought
that maybe it would have the private Certificate Authority which could
assert the validity of the server's certificate. I feel completely lost on
this, so any explanation that you could provide would be incredibly
helpful. If it helps at all, below I've included the steps I used to create
my certificates via OpenSSL.
Thanks,
Evan Sheffield
iVantage Health Analytics
~~~~~~~~~~~~~~~~~~~~~~~~~~
openssl genrsa -out ca.key 1024 // Create private key
openssl req -new -key ca.key -out ca.csr // Create certificate signing
request
openssl x509 -req -days 3652 -in ca.csr -signkey ca.key -out ca.crt //
Certificate authority
openssl x509 -req -days 3652 -CA ca.crt -CAkey ca.key // Certificate
openssl pkcs12 -export -in cas.crt -inkey ca.key -out keyst.p12 -name
tomcat -CAfile ca.crt -caname root // keystore
In Tomcat's server.xml:
<Connector port=”8443” protocol=”HTTP/1.1” SSLEnabled=”true”
maxThreads=”150” scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”keyst.p12” keystorePass=”changeme”
keystoreType=”PKCS12”/>
Providing ca.crt to the SP doesn't work, providing cas.crt does work.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
