Hi, I want to preface this by first saying that I know that this question is probably pretty broad, but I'm hoping that someon on this list might be able to help.
We are working with web services our SOAP messages have SAML assertions that are digitally signed. So, on the web service "client" side, we have a private key and a corresponding certificate, and on the web service "server" side, we have the certificate which is used for the validation of the digital signature. We've been in development and testing for awhile, using certs from an in-house CA, but now we're moving to a new environment, where the certs have to be issued by a 3rd party CA, but since doing that, we have encountered a problem where, on the server side, we are getting "failed to validate signature". We have a couple of different configurations, one where the web service end is hosted on WebLogic, and another where the web service end is on an XML appliance, and we are having similar "failed to validate signature" problems with both. Also, on the XML appliance, we can configure it to do just the signature validation without verifying the certificate chain, so we're pretty sure that the problem is not a chaining problem. We're not 100% sure, but we've eliminate almost every other possibility, and appears that the problem may be that, for some reason, the certs that we got are not suitable for validating digital signatures. The 3rd party CA can issue "SSL Server certificates" or "SSL Client certificates", and, right now, the certs that we have been trying to use are "SSL Server certificates" (as designated by the CA). We've looked at the certificates using various tools, including "keytool", "openssl x509", and they look "ok". The certs have Key Usage of: Digital Signature Key Encipherment Key Agreement they also have a "Netscape type" of "SSL Server Authentication". Finally, they have to extension OIDs: 2.16.840.1.101.2.1.11.7 2.16.840.1.101.2.1.11.8 Finally, I have to again say that we're still not 100% sure if the problem is the certs, but we've eliminated everything else that we can think of, so I was hoping that maybe someone might have some experience that might tell us what might possibly be going on with these certs that might prevent them from being used for digital signature validation? Thanks in advance. Jim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
