View previous topic :: View next topic |
Author |
Message |
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Thu Aug 29, 2013 5:39 pm Post subject: Help needed using GNUTLS for PKCS12 client certificates |
|
|
Hi again.
I'm struggling with GNUTLS certtool to export a PK#CS12 client certificate for use in Firefox. _ALL_ my attempts yielded an infamous «The PK#CS12 operation failed for unknown reasons»...
So far I- generated a CA certificate authority key and certificate: it works
- imported my self-signed CA certificate into Firefox: it works
- generated a server certificate/key pair for my local web server, based on that CA: it works.
- browsed my local web server with the new server certificate: it works (i.e. I get no SSL warning, as expected).
I then generated a client certificate/key pair (using the above the CA) for authenticating myself against my local web server. I could verify the certificate with and without the chain, all are valid.
cat clients/x509-myself.crt x509-ca.crt | certtool -e: |
Certificate[0]: C=BE,O=...,CN=myself,UID=...
Issued by: C=BE,... (Root CA)
Verifying against certificate[1].
Verification output: Verified.
Certificate[1]: C=BE,O=...
Issued by: C=BE,O=...
Verification output: Verified.
Chain verification output: Verified. |
Then I tried to [guess how to] generate a PKCS12 file from the above client certificate that I would import in Firefox; that fails with the above error right after I typed the password.
Code: | certtool --load-ca-certificate x509-ca.crt --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outder --outfile clients/x509-myself.p12 | fails to be imported in Firefox.
Code: | certtool --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outder --outfile clients/x509-myself.p12 | fails to be imported in Firefox.
Code: | certtool --load-ca-certificate x509-ca.crt --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outraw --outfile clients/x509-myself.p12 | fails to be imported in Firefox.
Code: | certtool --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outraw --outfile clients/x509-myself.p12 | fails to be imported in Firefox.
I'd be grateful for any hint or suggestion for I'm definitely stuck .
UPDATE 2013-08-29: I actually could go further... with OpenSSL!
Code: | openssl pkcs12 -export -out clients/x509-myself.p12 -inkey clients/x509-myself.key -in clients/x509-myself.crt -name MySelf | for a client certificate alone or
Code: | openssl pkcs12 -export -out clients/x509-myself.p12 -inkey clients/x509-myself.key -in clients/x509-myself.crt -certfile x509-ca.crt -name MySelf | for a client certificate that also embeds the CA certificate (not sure this is the right way to go though, just a guess from what I read about client certificates and web browsers).
So it finally looks like certtool (2.12.23-r1) is inappropriate (with my current knowledge of it) for creating well-formed PKCS12 certificates for Firefox (22)...
Also note that in both cases, the PKCS12 certificate exported by OpenSSL «cannot be verified for unknown reasons», too as per Firefox...
UPDATE 2013-08-30: I've found why verifying my client certificates failed. The following keywords must be present in the template given to certtool:
client.conf: | signing_key
encryption_key |
Re-created my certificate and exported it again with openssl and now client identification is working with my web server. _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
scriptkitty n00b
Joined: 20 Sep 2013 Posts: 1
|
Posted: Fri Sep 20, 2013 11:04 pm Post subject: |
|
|
I think I found part of the problem. If you do
Code: | certtool --infile client-cert.pem -i |
you see the lines named "Public Key Id" and "SHA-1 fingerprint".
If you extract the pkcs information from both the openssl and certtool-generated pkcs12 files with:
Code: | certtool --p12-info --inraw --infile=openssl-generated-client.p12 |
Code: | certtool --p12-info --inraw --infile=certtool-generated-client.p12 |
You will see that the openssl p12 file has the "SHA-1 fingerprint" as the Key Id, whereas the certtool p12 file has as Key ID the "Public Key Id". I do not know how to fix this or if this is even a problem. |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Sat Oct 05, 2013 1:22 pm Post subject: |
|
|
Thanks for your lights, scriptkitty. Sounds interesting. Don't know if I can figure out what to do but thanks for the explanation and taking the time to investigate. _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|