[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Example3 - SSL not trusted error message



Sender: "John King" <jking@xxxxxxxxxxx>

Scott, Ian,

 Thanks for the replies. In hopes that it may save trouble for someone else,
let me recap my experience below:

1) It was discovered that our IBM-supplied Verisign Certificates of
Authority (CAs) had expired and we needed to manually update the CAs in the
*SYSTEM store. Both the Verisign Class2 and Class3 certificates had expired
07Jan04. The Class1 cert was still OK, but IBM said no one uses that cert
anymore. Go figure.

2) After opening a PMR, IBM emailed me a document which included the
following base64-encoded CA named "caroot.txt". Note: there is also a
"roots.zip" file available from Verisign which contains a whole host of
other CAs, but these lack the "-Begin Certificate-" and "-End Certificate-"
lines that seem to be required in order for DCM to import. See:
http://www.verisign.com/support/roots.html. I was not able to import those
files into DCM until I manually added the "Begin/End" lines. 

3) Using DCM "FastPath | Work with CA Certificates" I printed a copy of the
screen for reference.

4) Using the DCM export feature, I archived the existing Class2 and Class3
CAs to 'VerisignClass2expired.txt' and 'VerisignClass3expired.txt', then
deleted both of the expired CAs.

5) Using the DCM import feature, I imported the IBM-supplied "caroot.txt"
file from the IFS, naming the new CA exactly the same as the old one - i.e.:
"Verisign Class 3 Public Primary Certification Authority".

6) The IBM email also included an additional CA that was referred to as an
"Intermediate CA". Since I'm running out of research time and getting rather
cranky about this whole process I chose to repeat step5, this time using the
"intermediate.txt" file and naming it "Verisign Intermediate CA".

7) DCM now shows three Verisign CAs: the old "Class1" CA and the two new
CAs.

8) Using the DCM "Manage Applications | Define CA Trust List" I assigned the
two new CA's to the Trust List for the "SCK_HTTPAPI_EXAMPLES" application.

9) I altered the code in "Example3" to point to "https://verisign.com/";
instead of "https://ssl.ahnet.net/SSL/klemen/"; and recompiled the program.
Success!

John King

Caroot.txt
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----

Intermediate.txt
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
-----END CERTIFICATE-----

> Hi John,
> 
> There are two problems:
> 
> >  In DCM, the Verisign class 1 certificate appears OK but the class 2 and
> > class 3 certificates expired in January 2004.
> 
> 1)  VeriSign's intermediate certificates expired on January 7, 2004. Until
> you update your CA certs, most VeriSign sites won't be trusted.
> 
> If you update to CUM PTF level C4077520 or later, the problem will be
> fixed for new certificate stores, but not for existing ones.  To fix the
> existing ones, you need to manually download & install the updated
> intermediate certificates from VeriSign.  They've got a web page set up to
> explain the process:
> 
>   https://www.verisign.com/support/site/caReplacement.html
> 
> Personally, I had a hard time figuring out how to get it done with info
> from that site, but maybe that's just me!  If nothing else, call IBM
> support and get them to help you.
> 
> > In an attempt to see what certificate the target website is using, I
> > tried to access "https://ssl.ahnet.net/SSL/klemen/"; (the URL that
> > Example3 points to) via IE6 and received an "HTTP 404 Not Found".
> 
> 2) https://ssl.ahnet.net no longer exists.  I used to have an SSL server
> with that URL years ago, but not anymore.  That example should be removed
> from HTTPAPI.
> 
> In fact, I should go through and clean up all of the EXAMPLEx members,
> since many of them aren't the best way to do things anymore.  Thanks for
> the heads up on this!
> 
> A better SSL example would be EXAMPLE16, (though the SSL part of EXAMPLE4
> & EXAMPLE5 should still work)
> 


-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------