[foaf-protocols] disappointing experience with my new webid...

Henry Story henry.story at gmail.com
Wed Aug 4 20:27:08 CEST 2010


On 29 Jul 2010, at 21:05, Reto Bachmann-Gmür wrote:
>> as an aside, your domain is trusted for me on my remote boxes and local
>> browsers (other than opera) since you have a startssl certificate, which my
>> servers are aware of - might be worth everybody having that ca chain cert
>> installed on their servers if they are doing anything webid.
> yes, for java this can be done by replacing the cacerts file in
> $JAVA_HOME/jre/lib/security.
> How the replacement cacerts-file can be generated is described here:
> http://blogs.sun.com/andreas/entry/no_more_unable_to_find

That is an interesting program. But I think it will just add intermediate
CAs to the cacerts file. What we want is to add the root certificate to the
cert file.

Anyway here is the output I get from it 

--------------------------------------------------------------------
$ java -jar target/InstallCert-0.2.jar www.startssl.com
Loading KeyStore /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/lib/security/cacerts...
Opening connection to www.startssl.com:443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 2 certificate(s):

 1 Subject OID.1.3.6.1.4.1.311.60.2.1.3=IL, OID.2.5.4.15="V1.2, Clause 7.2.2", SERIALNUMBER=513747303, EMAILADDRESS=webmaster at startcom.org, CN=www.startssl.com, OU=StartCom Extended Validation, O=StartCom Ltd. (Start Commercial Limited), L=Eilat, C=IL, OID.2.5.4.13=204415-44gtWT9EyhN7cmv2
   Issuer  CN=StartCom Extended Validation Server CA, OU=StartCom Certification Authority, O=StartCom Ltd., C=IL
   sha1    15 ac b0 cc 14 7c ca 05 0f e9 a1 0a 96 ae 37 23 9d a4 10 12 
   md5     18 c7 86 4b bf fb cb be 58 8d 8b 59 61 34 8d be 

 2 Subject CN=StartCom Extended Validation Server CA, OU=StartCom Certification Authority, O=StartCom Ltd., C=IL
   Issuer  CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
   sha1    65 73 55 a6 bb 68 f9 3d 33 cc b7 58 b4 2f 5e 1a 7d 85 c9 c4 
   md5     01 d3 0c 7e b6 fb e9 ef 80 f5 9d 47 bb f4 5f 27 

Enter certificate to add to trusted keystore or 'q' to quit: [1]
--------------------------------------------------------------------

The second one has as issuer CN=StartCom Certification Authority
which I have in my laptop in the OSX keychain.

    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: StartCom Certification Authority.cer
Type: application/x-x509-ca-cert
Size: 1997 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20100804/e23bb839/attachment.crt 
-------------- next part --------------


You can view the details using 

$ openssl x509 -inform der -in  StartCom\ Certification\ Authority.cer -text

As it turns out that cert is available in my cacert on my OSX laptop too

--------------------------------------------------------------------
$ keytool -list -keystore $JAVA_HOME/lib/security/cacerts -v | grep StartCom
Enter keystore password:  changeit
Owner: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Owner: EMAILADDRESS=admin at startcom.org, CN=Free SSL Certification Authority, OU=CA Authority Dep., O=StartCom Ltd., L=Eilat, ST=Israel, C=IL
Issuer: EMAILADDRESS=admin at startcom.org, CN=Free SSL Certification Authority, OU=CA Authority Dep., O=StartCom Ltd., L=Eilat, ST=Israel, C=IL
[EMAILADDRESS=admin at startcom.org, CN=Free SSL Certification Authority, OU=CA Authority Dep., O=StartCom Ltd., L=Eilat, ST=Israel, C=IL]


--------------------------------------------------------------------

But it was not in my cacert on the server.

To add it to that file one can simply

--------------------------------------------------------------------
$ keytool  -keystore cacerts.jks -import -file StartCom\ Certification\ Authority.cer -alias startcom_root_ca
--------------------------------------------------------------------

But instead I think I will just add the OSX certificate store to
the server on foafssl.org.

That is done. Let me know if it works.

Henry




More information about the foaf-protocols mailing list