Feature #2980
closedSHA2 authentication
0%
Description
- Integrate sha2 authentication
Dear all,
I am forwarding an email [(c) David Groep], originally written for
the SA2 verifiers to probe the middleware readiness for SHA2.
Please, let me know if there are questions:
----------------- Original Message -----------------
The easiest is to get an instant certificate from CILogon, using their
(unaccredited) OpenID provider like Google:
https://cilogon.org/
and select "Google" from the list of IdPs. After signing in to Google and
typing in a password, you can download a pkcs#12 file with your new
certificate and private key (you have ~ 2min to do this). To get
the conventional usercert.pem and userkey.pem, use openssl:
openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys
openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts
chmod 0600 userkey.pem
and give your passphrase a few times The new cert looks like:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7052 (0x1b8c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=org, DC=cilogon, C=US, O=CILogon, CN=CILogon OpenID CA 1
Validity
Not Before: Jul 17 06:20:35 2012 GMT
Not After : Aug 17 18:25:35 2013 GMT
Subject: DC=org, DC=cilogon, C=US, O=Google, CN=John Doe A5833
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:da:81:1f:6a:ea:dd:c8:56:42:ed:3c:1d:0c:35:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.34998.1.3.3
X509v3 CRL Distribution Points:
URI:http://crl.cilogon.org/cilogon-openid.crl
URI:http://crl.doegrids.org/cilogon-openid.crl
X509v3 Subject Alternative Name:
email:johndoe@googlemail.com
Signature Algorithm: sha256WithRSAEncryption
3d:82:77:aa:ed:9c:9a:6f:89:3e:41:6d:16:15:e9:1f:3e:2c:
....
and you can install the unaccredited OpenID CA just like the other IGTF
CAs, but from the experimental repository:
<https://dist.eugridpma.info/distribution/current/experimental/RPMS/ca_cilogon-openid-1.48-1.noarch.rpm>
and corresponding tar-balls and JKS'es
----------------- End of Original Message -----------------
Cheers
Peter
Files