Hi Many thanks. I've managed to turn off the client certificate, didn't realise what I'd done. Now the intermediate certificate is more of an issue because I really thought I'd got that in there, properly. I think I might have spotted it, I had it in as a certificate authority certificate rather than a chaining certificate - as you can guess this is the first time I've worked with SSL certificates and I'm not that comfy with it. I am using Apache but on a Windows server and I think I've made the appropriate changes. However IE7 is still giving me grief with one particular resource and not telling me why (I don't have many resources to test with). I just tried another resource and that seemed happy, so I'm thinking it might be this resource. Anyway, you mention examine the certificate with Firefox. Can I ask how? Is it a standard tool on FireFox or one I need to download? I think I need to look to make sure I have fixed it. Again many thanks. Heather Peake VLE Development Co-ordinator Tel 01623 627191 ext 2292 -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Rod Widdowson Sent: 24 July 2008 16:19 To: [log in to unmask] Subject: Re: Certificate issue FireFox 3 & IE 7 Heather, I just looked at your IdP from FF and from IE7. I'd say that you have two problems. 1) As Fiona says, it is prompting for a certificate which it shouldn't be. 2) You definitely do not have the intermediate certificate (examine the certificate in firefox and you will see that). So you should turn off the asking for a client cert - that should shut IE up. As I said earlier, pushing the intermediate cert depends on your deployment. Fiona tells me that the Apache incantation is: SSLCertificateChainFile /home/shibb/certs/sureserverEDU.pem If you are not fronting with apache then things get rather more interesting (Chinese sense)... Rod ----- Original MessageI ----- From: "Heather Peake" <[log in to unmask]> To: <[log in to unmask]> Sent: Thursday, July 24, 2008 3:48 PM Subject: Re: Certificate issue FireFox 3 & IE 7 No your aren't missing anything. Firefox 3 complains about the certificate but lets you in if you choose exception. IE7 (recently updated) just tells you the page cannot be displayed and I'm guessing a certificate issue. It used to let you in but that was before we updated IE. It was all apparently fine on FireFox2 and an older update of IE. I'll check out the list you suggest and see what happens. Thanks Heather Peake VLE Development Co-ordinator Tel 01623 627191 ext 2292 -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Fiona Culloch Sent: 24 July 2008 14:46 To: [log in to unmask] Subject: Re: Certificate issue FireFox 3 & IE 7 > Our IDP works - in that it lets us log into particular resources. > However when I upgraded to FireFox3 as my browser it started throwing up > problems with the certificate but if you click allow exception it works fine. Hi Heather, not sure about that bit but... > IE 7 appears to be having an issue now but not actually telling us it is a > problem with the certificate. Maybe I'm missing something but when I go to an SP and choose "West Nottinghamshire College" from the WAYF, using IE7, it takes me to the login page and doesn't complain about the certificate. It does put up an (empty) "choose a Digital Certificate" dialogue box first. That's usually a sign that port 443 is configured in the web server to require client certificates, which it shouldn't be in most cases. It's the _other_ port that Shibboleth uses (usually 8443) that has to be configured with SSLVerifyClient optional_no_ca (which brings up the dialogue), but users shouldn't actually see that port at all. (Some of the discussion in the "Re: shibboleth 2.0 idp/sp" thread may therefore also be relevant to you). Fiona. ------------------------------------------------------------------------ ------------------------------------------------------------------------ ----------------------------------- Awarded Outstanding (Grade 1), across the board, by Ofsted July 2008. "Excellent employer engagement...Imaginative and highly effective approach to social inclusion...Excellent communication, high staff morale and visionary leadership" This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of West Nottinghamshire College. Scanning of this message and addition of this footer is performed by SurfControl E-mail Filter software in conjunction with virus detection software. West Nottinghamshire College,Derby Road, Mansfield, Nottinghamshire, NG18 5BH. Tel: 01623 627191 URL: http://www.wnc.ac.uk VAT No: 593 475 93 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Awarded Outstanding (Grade 1), across the board, by Ofsted July 2008. "Excellent employer engagement...Imaginative and highly effective approach to social inclusion...Excellent communication, high staff morale and visionary leadership" This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of West Nottinghamshire College. Scanning of this message and addition of this footer is performed by SurfControl E-mail Filter software in conjunction with virus detection software. West Nottinghamshire College,Derby Road, Mansfield, Nottinghamshire, NG18 5BH. Tel: 01623 627191 URL: http://www.wnc.ac.uk VAT No: 593 475 93