How can I introduce a cross signing certificate into a chain? -

-

i maintain java applet locally deployed. purchased code signing certificate go daddy (it inexpensive, , host our site). certificate chain follows (all files available @ https://certs.godaddy.com/anonymous/repository.pki):

  1. my company
  2. gdig2.cer
  3. gdroot-g2.crt

unfortunately, root not installed default on windows 7 (used ie) or windows jre (used other browsers, think). manually installing root certificate doable, requires users have administrator access or run unfamiliar commands (it doesn't make sense security standpoint "you can trust applet, , prove it, run command on computer").

i change certificate chain to

  1. my company
  2. gdig2.cer
  3. gdroot-g2_cross.crt
  4. gd-class2-root.crt

which seems more prevalent (for example, 1 in windows jre, , used validate https://www.godaddy.com, gets windows 7). go daddy not able me ("our support using 1 of our code signing certificates limited"), i'm left doing on own.

following this answer, promising approach has been following (on mac os x 10.6):

  1. convert certificate pem format:
    $ openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes
  2. use text editor open mycert.pem, delete gdroot-g2.crt, , paste in gdroot-g2_cross.crt , gd-class2-root.crt (openssl appears not care order of certificates, put them in order shown above)
  3. convert certificates p12 format:
    $ openssl pkcs12 -export -in mycert.pem -out combined.p12

unfortunately, doesn't quite work. calling
$ keytool -list -storetype pkcs12 -keystore combined.p12 -v
shows certificate chain extends through gdig2.cer, , stops. problem appears gdroot-g2_cross.cer doesn't certify gdig2.cer:

$ openssl verify -cafile gd-class2-root.cer gdroot-g2_cross.cer gdroot-g2_cross.cer: ok $ cat gd-class2-root gdroot-g2_cross.cer > gdrootcross.pem $ openssl verify -cafile gdrootcross.pem gdig2.cer gdig2.cer: /c=us/st=arizona/l=scottsdale/o=godaddy.com, inc./ou=http://certs.godaddy.com/repository//cn=go daddy secure certificate authority - g2   error 20 @ 0 depth lookup:unable local issuer certificate

but looks ok me: 

$ openssl x509 -in gdig2.cer -text -noout . . . issuer: c=us, st=arizona, l=scottsdale, o=godaddy.com, inc., cn=go daddy root certificate authority - g2 x509v3 authority key identifier: keyid:3a:9a:85:07:10:67:28:b6:ef:f6:bd:05:41:6e:20:c1:94:da:0f:de . . . $ openssl x509 -in gdroot-g2_cross.cer -text -noout . . . subject: c=us, st=arizona, l=scottsdale, o=godaddy.com, inc., ou=https://certs.godaddy.com/repository/, cn=go daddy root certificate authority - g2 x509v3 subject key identifier: 3a:9a:85:07:10:67:28:b6:ef:f6:bd:05:41:6e:20:c1:94:da:0f:de . . .

this leads me think i'm not using cross certificate correctly, don't know i'm doing wrong. (i've tried appending 2 new certificates original chain, openssl verify says error 18 @ 0 depth lookup:self signed certificate.) i'm willing believe it's not possible change root certificate, seems entire point of cross certificates. how can introduce cross certificate certificate chain in order verified different root certificate authority?

you don't. have 1 certificate signed first authority; , 1 certificate signed second authority - both having same public key / fingerprint , subject line. that's it.


Comments

Post a Comment

Popular posts from this blog

Perl - how to grep a block of text from a file -

-
it can in xml or text format. how in general grep block of text in perl? <track type="ws"> <range> <rangestart>0</rangestart> <rangeend>146.912</rangeend> <locationindex>0</locationindex> <propertyindex>0</propertyindex> </range> </track> <track type="ps" id="1"> <range> <rangestart>0</rangestart> <rangeend>146.912</rangeend> <locationindex>1</locationindex> <propertyindex>1</propertyindex> </range> </track> i want grep type="ps" , till </range> . one solution open file, read line line , match block. open(fh, "file.txt"); foreach $line (<fh>) { if ($line =~ m/type="cc"(.*?)<\/range>/) { print $1; } } but there more optimal solution without reading file line l
Read more

delphi - How to remove all the grips on a coolbar if I have several coolbands? -

-
Image
if set mycoolbar.fixedorder true,only grip on first band hidden. well,if use delphi 7 create vcl forms application,then put coolbar on , create 3 coolbans hold other controls,only grip , top coolbands can hidden setting mycoolbar.fixedorder:=true. i've uploaded picture make things clear. you got fixedorder property wrong. fixed property not allow bands rearranged if set true . setting property of coolbar true keep user changing bands order @ runtime, user can still move , resize bands. can give advice can do, actual solution problem, well, have wait answer. my advice use 3 coolbars in row , setting "fixedorder" property true , bandborderstyle bsnone . way grip hidden on of them. about property, it's not bug of ide, actual preference of property.
Read more

javascript - Animating array of divs; only the final element is modified -

-
this baffling me @ moment. i'm experienced programmer looking throw bit of surprise fiancee on countdown page our wedding. desired effect simulated confetti falling behind main page. setup follows: i have array of divs in javascript. each div absolutely positioned on page. have interval set updates every 50 or milliseconds. on each tick, run loop on array of divs, , calculations , update positions. problem problem having, however, though can see divs created, stored array, , modified (in case, each has slight randomized rotation) during initialization phase, once tick update position starts, div stored in whatever last slot of array gets position updated. tried hard-coding each div index testing purposes, strictly last element update position. upon printing current "left" , "top" style values each div before , after calculations shows value has been changed, no visible change noticeable. here's basic code: javascript var container;
Read more