El 22/07/13 08:34, Oliver Wulff escribió:>
> No, the certificate you see as part of the SSL handshake is different.
>
> You see the IDP certificate here:
> https://186.33.232.65/FederationMetadata/2007-06/FederationMetadata.xml
>
> RoleDescriptor->KeyDescriptor->KeyInfo->X509Data
>
>
Apparently the SSL certificate used for HTTPS is the same self-signed
certificate in the Federation metadata XML (the exported certificate
from the browser has the same text as the FederationMetadata.xml XML
portion).
I have imported it in my stsstore.jks creating a text file with the XML
portion.
Keytool shows this as well as other keys.
----
keytool -list -keystore stsstore.jks -storepass stsspass
myidpkey, 23/07/2013, trustedCertEntry,
Huella Digital de Certificado (SHA1):
0A:A0:F2:34:99:92:92:CF:6C:3F:09:99:5F:33:CD:FD:2A:DC:ED:53
----
(SHA1 matches the one shown by the browser.)
I'm getting HTTP 401 - Authentication Failed: Security token issuer not
trusted
So I looked at fediz_config.xml
<trustedIssuers>
<issuer subject=".*CN=www.sts.com.*"
certificateValidation="ChainTrust"
name="DoubleItSTSIssuer" />
</trustedIssuers>
Do I have to change that? And how can I find out the info from the
certificate? The IDP is using a self-signed certificate.
So the issuer common name (CN) is "WIN-6LS98RP43K9", the certificate is
issued to the same CN "WIN-6LS98RP43K9".
The documentation seems to be clear
There are two ways to configure a trusted issuer (IDP). Either you
configure the subject name and the CA(s) who signed the certificate of
the IDP (certificateValidation=ChainTrust) or you configure the
certificate of the IDP and the CA(s) who signed it
(certificateValidation=PeerTrust)
I just don't know enough about certificates.
I tried
<issuer subject="WIN-6LS98RP43K9"
certificateValidation="ChainTrust"
name="WIN-6LS98RP43K9" />
and
<issuer subject=".*CN=186.33.232.65.*"
certificateValidation="ChainTrust"
name="WIN-6LS98RP43K9" />
but I'm not sure what I'm doing.
Thanks for any help.
