[Openid-specs-ab] Certificates on Certification Site

Justin Richer jricher at mit.edu
Tue Mar 17 00:36:06 UTC 2015


During the OP testing, in order to get the jwks_uri tests to pass, I had to add the certificate for https://op.certification.openid.net:60054/export/jwk_60054.json <https://op.certification.openid.net:60054/export/jwk_60054.json> to the Java keystore on our server before it was able to read the URL properly. I visited the URL directly in Firefox, exported the cert from there in PEM format, then imported it into Tomcat’s keystore and restarted the server. From that point, the test ran fine.

I haven’t looked too hard into the cause of this, since the workaround seemed to do its job. I don’t know if there’s something that can be done on the server side to mitigate this, though Brian was under the impression that it was missing the intermediary certificate and that might help things. Interestingly, doing interop testing of our RP with several other servers also gives SSL errors of various flavors, so I’m largely chalking this up to bad client-side SSL support on the Java platform, but others might run into something similar with the certification server.

 — Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150316/882d0833/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150316/882d0833/attachment-0001.asc>


More information about the Openid-specs-ab mailing list