[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Example3 - SSL not trusted error message



Sender: Scott Klement <klemscot@xxxxxxxxxxxx>


On a slightly related note, there's a really good introduction to the
terms & concepts used in SSL at the following link:

http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html


On Thu, 21 Oct 2004, John King wrote:
> Scott, Ian,
>
>  Thanks for the replies. In hopes that it may save trouble for someone else,
> let me recap my experience below:
>
> 1) It was discovered that our IBM-supplied Verisign Certificates of
> Authority (CAs) had expired and we needed to manually update the CAs in the
> *SYSTEM store. Both the Verisign Class2 and Class3 certificates had expired
> 07Jan04. The Class1 cert was still OK, but IBM said no one uses that cert
> anymore. Go figure.
>
> 2) After opening a PMR, IBM emailed me a document which included the
> following base64-encoded CA named "caroot.txt". Note: there is also a
> "roots.zip" file available from Verisign which contains a whole host of
> other CAs, but these lack the "-Begin Certificate-" and "-End Certificate-"
> lines that seem to be required in order for DCM to import. See:
> http://www.verisign.com/support/roots.html. I was not able to import those
> files into DCM until I manually added the "Begin/End" lines.
>
> 3) Using DCM "FastPath | Work with CA Certificates" I printed a copy of the
> screen for reference.
>
> 4) Using the DCM export feature, I archived the existing Class2 and Class3
> CAs to 'VerisignClass2expired.txt' and 'VerisignClass3expired.txt', then
> deleted both of the expired CAs.
>
> 5) Using the DCM import feature, I imported the IBM-supplied "caroot.txt"
> file from the IFS, naming the new CA exactly the same as the old one - i.e.:
> "Verisign Class 3 Public Primary Certification Authority".
>
> 6) The IBM email also included an additional CA that was referred to as an
> "Intermediate CA". Since I'm running out of research time and getting rather
> cranky about this whole process I chose to repeat step5, this time using the
> "intermediate.txt" file and naming it "Verisign Intermediate CA".
>
> 7) DCM now shows three Verisign CAs: the old "Class1" CA and the two new
> CAs.
>
> 8) Using the DCM "Manage Applications | Define CA Trust List" I assigned the
> two new CA's to the Trust List for the "SCK_HTTPAPI_EXAMPLES" application.
>
> 9) I altered the code in "Example3" to point to "https://verisign.com/";
> instead of "https://ssl.ahnet.net/SSL/klemen/"; and recompiled the program.
> Success!
>
> John King
>
> Caroot.txt
> -----BEGIN CERTIFICATE-----
> MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
> A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
> cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
> MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
> BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
> YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
> ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
> BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
> I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
> CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
> lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
> AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
> -----END CERTIFICATE-----
>
> Intermediate.txt
> -----BEGIN CERTIFICATE-----
> MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
> MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
> LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
> HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
> aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
> BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
> MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
> TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
> jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
> veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
> OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
> 4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
> KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
> HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
> ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
> oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
> BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
> 1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
> E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
> -----END CERTIFICATE-----
>
> > Hi John,
> >
> > There are two problems:
> >
> > >  In DCM, the Verisign class 1 certificate appears OK but the class 2 and
> > > class 3 certificates expired in January 2004.
> >
> > 1)  VeriSign's intermediate certificates expired on January 7, 2004. Until
> > you update your CA certs, most VeriSign sites won't be trusted.
> >
> > If you update to CUM PTF level C4077520 or later, the problem will be
> > fixed for new certificate stores, but not for existing ones.  To fix the
> > existing ones, you need to manually download & install the updated
> > intermediate certificates from VeriSign.  They've got a web page set up to
> > explain the process:
> >
> >   https://www.verisign.com/support/site/caReplacement.html
> >
> > Personally, I had a hard time figuring out how to get it done with info
> > from that site, but maybe that's just me!  If nothing else, call IBM
> > support and get them to help you.
> >
> > > In an attempt to see what certificate the target website is using, I
> > > tried to access "https://ssl.ahnet.net/SSL/klemen/"; (the URL that
> > > Example3 points to) via IE6 and received an "HTTP 404 Not Found".
> >
> > 2) https://ssl.ahnet.net no longer exists.  I used to have an SSL server
> > with that URL years ago, but not anymore.  That example should be removed
> > from HTTPAPI.
> >
> > In fact, I should go through and clean up all of the EXAMPLEx members,
> > since many of them aren't the best way to do things anymore.  Thanks for
> > the heads up on this!
> >
> > A better SSL example would be EXAMPLE16, (though the SSL part of EXAMPLE4
> > & EXAMPLE5 should still work)
> >
>
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubsribe from the list send mail
> to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
> -----------------------------------------------------------------------
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------