<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">The server is not including the intermediate EV certificate authority from Symantec.</div><div class=""><br class=""></div><div class=""><br class=""></div>The server returns:<div class=""><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">openssl s_client -showcerts -connect <a href="http://op.certification.openid.net" class="">op.certification.openid.net</a>:60054</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">CONNECTED(00000003)</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = <a href="http://op.certification.openid.net" class="">op.certification.openid.net</a></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">verify error:num=20:unable to get local issuer certificate</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = <a href="http://op.certification.openid.net" class="">op.certification.openid.net</a></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">verify error:num=21:unable to verify the first certificate</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">---</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">Certificate chain</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> 0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=<a href="http://op.certification.openid.net" class="">op.certification.openid.net</a></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">-----BEGIN CERTIFICATE-----</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">MIIHKjCCBhKgAwIBAgIQDRyJD75wYaMnuXDaL8O5CjANBgkqhkiG9w0BAQsFADB3</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMjE3MDAwMDAwWhcNMTcwMjE3</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">MjM1OTU5WjCCATAxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">MSMwIQYDVQQLDBpDbG91ZCBQbGF0Zm9ybSBFbmdpbmVlcmluZzEkMCIGA1UEAwwb</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">b3AuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOC</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">AQ8AMIIBCgKCAQEAy18YtrcaXsiPUjBvA5YmdIysHXoYJc++06Eg3MTlwW1tRBh9</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">axi5XHWmBFm1g5AWXkcf3vFweGXqcKOeZ0UPNVxDU0Wsn7TScaVcxRk2gdLkoVX9</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">R9wPY3KNEaHsTx7rMOrIrdbeMuHPgMrSp2ovLWeJq5mARdyxjeTjp73VJPoDQADF</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">qO74cmoL/EyUqy/MYmDIgGG7SAl8i2QOPP0NQmZJpAmghG8aL1WDUac5T8qkAlj7</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">AUkOPW3gSdWkgf1XjXLPqzvjBCv7E+WiubTSYwxSWKSV+xIUrJskTt9MpHSpfA5i</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">tn6ySTtSKEFcYffzqL0gmr+CZXxjf6I4RNlnfQIDAQABo4IC9TCCAvEwJgYDVR0R</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">BB8wHYIbb3AuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MAkGA1UdEwQCMAAwDgYD</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBmBgNV</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">HSAEXzBdMFsGC2CGSAGG+EUBBxcGMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5z</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">eW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20v</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">cnBhMB8GA1UdIwQYMBaAFAFZq+fdOgtZpmRj1s8gB1fVkedqMCsGA1UdHwQkMCIw</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">IKAeoByGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3JsMFcGCCsGAQUFBwEBBEsw</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">STAfBggrBgEFBQcwAYYTaHR0cDovL3NyLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYa</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">aHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcnQwggF8BgorBgEEAdZ5AgQCBIIBbASC</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">AWgBZgB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABS5mVPBQA</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">AAQDAEYwRAIgEWZrnpfk5KxkNOS2fAJhejH7FNruS7AY17KxeBM+FjACIGoT8y58</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">cEzct7HRIkGqPjRvTe1WcMoB2luFC8+wQoW1AHUAVhQGmi/XwuzT9eG9RLI+x0Z2</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">ubyZEVzA75SYVdaJ0N0AAAFLmZU+JAAABAMARjBEAiA+wsXCQI7RcfLTuLD9PfqM</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">oJxL46fdGtqHFETTmwgopwIgWWlV/j9DRXnpzZFERVrnhICUzaie7SpfPcJUs48u</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">QzUAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUuZlTwIAAAE</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">AwBHMEUCIQCOjiOcSMRuCtHwsQIHGyynPhmceRZU6TtAb587tO7JZwIgSUJ8PGM8</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">XQ/CEIiSGuLwG/SdiyEBKgqO69iylnty8rQwDQYJKoZIhvcNAQELBQADggEBAJcQ</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">0bVMn5JBaUzxknIj8K5pAbetQZaF8dvjnylZrcytfrDB/RBYPhUC3mpS1YB47Oqf</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">F9oBjSA+fqWlgF/qKBEDF3bz7cAsGKQmrICnZzXGncyH6IXXbkDnXT+nDwYPln1V</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">HNvBrs7ImTFpvcpFdksNKFfM/fh+DfChWU4+817AMdSWf4RO/gfEAv7FAd3qV4fR</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">3U1vDvDp4bJB4gCSKjXCecQfJI5iAVSU/SgggjMXybCLXvxcRpQ0U6uBq3vHjao1</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">t1fK0yP5f4wdxaC2nDn+d6Q1RoXstorgTF8ysVLTnE2iKjoWzjlf4M/AO/ckcmW8</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">0DKvHlqA2G04svnXScY=</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">-----END CERTIFICATE-----</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">---</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">Server certificate</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">subject=/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=<a href="http://op.certification.openid.net" class="">op.certification.openid.net</a></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">---</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">No client certificate CA names sent</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">---</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">SSL handshake has read 2151 bytes and written 680 bytes</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">---</div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On Mar 16, 2015, at 9:36 PM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">During the OP testing, in order to get the jwks_uri tests to pass, I had to add the certificate for <a href="https://op.certification.openid.net:60054/export/jwk_60054.json" class="">https://op.certification.openid.net:60054/export/jwk_60054.json</a> to the Java keystore on our server before it was able to read the URL properly. I visited the URL directly in Firefox, exported the cert from there in PEM format, then imported it into Tomcat’s keystore and restarted the server. From that point, the test ran fine. </div><div class=""><br class=""></div>I haven’t looked too hard into the cause of this, since the workaround seemed to do its job. I don’t know if there’s something that can be done on the server side to mitigate this, though Brian was under the impression that it was missing the intermediary certificate and that might help things. Interestingly, doing interop testing of our RP with several other servers also gives SSL errors of various flavors, so I’m largely chalking this up to bad client-side SSL support on the Java platform, but others might run into something similar with the certification server. <div class=""><br class=""></div><div class=""> — Justin</div></div>_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab<br class=""></div></blockquote></div><br class=""></div></body></html>