I was asked to get an SSL certificate for an "Oracle Application Server 11g" which has a soon-to-expire certificate. Brushing aside the fact that 10g seems to be the newest version, I got a certificate from InCommon, as I usually do without problem (except this is the first time I supplied Oracle Application Server 11g as the software type on the CSR form). On the email containing links to download the certificate, it mentioned:
Certificate Details:
SSL Type : InCommon SSL
Server : OTHER
I forwarded the email over to the person responsible for installing it and got a reply that the server type must be Oracle Application Server for the certificate to work (the CN is the same as before). They were unable to install this certificate (no details provided to me) and mentioned they had this issue previously with Thawte when they didn't supply Oracle Application Server as the server type. I don't see any significant difference between the currently installed certificate (working) and the new one I just got signed by InCommon (not working).
$ openssl x509 -in sso-current.cer -text
shows, with irrelevant information ommitted.
Data:
Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/
[email protected]
Validity
Not Before: Oct 1 00:00:00 2009 GMT
Not After : Nov 28 23:59:59 2012 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3
Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.thawte.com/ThawteServerPremiumCA.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
and
$ openssl x509 -in sso-new.cer -text
shows
Data:
Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
Validity
Not Before: Nov 8 00:00:00 2012 GMT
Not After : Nov 8 23:59:59 2014 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D
X509v3 Subject Key Identifier:
18:8D:F6:F5:87:4D:C4:08:7B:2B:3F:02:A1:C7:AC:6D:A7:90:93:02
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3
Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.5923.1.4.3.1.1
CPS: https://www.incommon.org/cert/repository/cps_ssl.pdf
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.incommon.org/InCommonServerCA.crl
Authority Information Access:
CA Issuers - URI:http://cert.incommon.org/InCommonServerCA.crt
OCSP - URI:http://ocsp.incommon.org
Nothing jumps out at me as the reason one would not work so I don't have a specific request for the signer for what to do differently when re-signing.
