Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Securing access to a web page using a certificate
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
destroyedlolo
l33t
l33t


Joined: 17 Jun 2011
Posts: 642
Location: Close to Annecy (France)

PostPosted: Mon Jun 11, 2018 3:47 pm    Post subject: Securing access to a web page using a certificate Reply with quote

Hi all,

I would like to secure a webpage using a certificate but all the tutorials I've found are, or obsolete, or doesn't work.

So what I did based on this post :

1/ created a CA root key
Code:
openssl genrsa -des3 -out destroyedloloCA.key


2/ created a root certificat
Code:
openssl req -x509 -new -nodes -key destroyedloloCA.key -sha256 -days 3650 -out destroyedloloCA.pem


3/ a new private key
Code:
openssl genrsa -out destroyedlolo.key 2048


4/ the corresponding CSR
Code:
openssl req -new -key destroyedlolo.key -out destroyedlolo.csr


5/ the web server certificate
Code:
openssl x509 -req -in destroyedlolo.csr -CA destroyedloloCA.pem -CAkey destroyedloloCA.key -CAcreateserial -out destroyedlolo.crt -days 3650 -sha256 -extfile destroyedlolo.conf


6/ then, I did modified Apache's SSL vhost and the test is successful with all these stuffs.

Now, let's go with client certificate (where the problems begin)

7/ Client private key
Code:
openssl genrsa -out dlclient.key 2048


8/ signature request
Code:
openssl req -new -key dlclient.key -out dlclient.csr


9/ Certificate
Code:
openssl x509 -extensions v3_ca -req -in dlclient.csr -CA destroyedloloCA.pem -CAkey destroyedloloCA.key  -CAcreateserial -out dlclient.crt -days 3650


10/ P12
Code:
openssl pkcs12 -export -in dlclient.crt -inkey dlclient.key -out dlclient.p12


Tried to import this p12 in Firefox as well as destroyedloloCA.pem but connection attempt is failing with an SSL_ERROR_UNKNOWN_CA_ALERT error.

So ... what can I do ?

Thanks

Laurent
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6233
Location: /usr/lib64/lv2

PostPosted: Mon Jun 11, 2018 9:11 pm    Post subject: Reply with quote

I used to use the DIY method, then I decided it was not worth the time and effort. I switched to using Letsencrypt for everything. It's free, recognized by browsers, and will save you time and frustration.
_________________
Gentoo Studio in open beta. Feedback wanted.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12490

PostPosted: Tue Jun 12, 2018 1:35 am    Post subject: Reply with quote

As I understand the Let's Encrypt offering, they do not provide, nor plan to provide, client certificates. They provide server certificates to let a TLS server obtain a certificate matching its DNS name. They do not provide client certificates used to distinguish individuals within an organization.

destroyedlolo: if I were to guess based on the error message, Apache does not trust your CA, so it cannot verify certificates issued by that CA.
Back to top
View user's profile Send private message
destroyedlolo
l33t
l33t


Joined: 17 Jun 2011
Posts: 642
Location: Close to Annecy (France)

PostPosted: Tue Jun 12, 2018 10:40 am    Post subject: Reply with quote

Hi,

It's looking to me the problem is not at Apache side but at Firefox one.
It seems it doesn't trust my CA despite I imported destroyedloloCA.pem.

I've tried to verify the chain using openssl, but it's complaining :
Code:
 openssl verify -verbose -purpose sslserver -CAfile destroyedloloCA.pem dlclient.p12
unable to load certificate
3069744352:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: TRUSTED CERTIFICATE


I did a grep on "TRUSTED CERTIFICATE" but none of the file I've generated contains this sentence ...
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10007
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Jun 12, 2018 11:52 am    Post subject: Reply with quote

openssl-verify man page wrote:
Certificates must be in PEM format.
Try verifying your leaf cert, not the corresponding .p12 file.

Also, shouldn't your -purpose be sslclient to verify the client cert?

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
destroyedlolo
l33t
l33t


Joined: 17 Jun 2011
Posts: 642
Location: Close to Annecy (France)

PostPosted: Tue Jun 12, 2018 1:42 pm    Post subject: Reply with quote

I did another try with .crt and .cer certificates and they are all working.

Code:
 openssl verify -verbose -purpose sslclient -CAfile destroyedloloCA.pem dlclient.crt
dlclient.crt: OK


So the question remain : why Firefox disagree ???
Back to top
View user's profile Send private message
destroyedlolo
l33t
l33t


Joined: 17 Jun 2011
Posts: 642
Location: Close to Annecy (France)

PostPosted: Thu Jul 12, 2018 9:31 am    Post subject: Reply with quote

Hi,

I'm not giving-up but ... despite many tries, I'm stuck at the same point
Any idea welcome :)

Best regards,

Laurent
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10007
Location: Somewhere over Atlanta, Georgia

PostPosted: Thu Jul 12, 2018 10:28 am    Post subject: Reply with quote

Hi Laurent,

Sorry; somehow this thread dropped off my radar.

A couple of things. A "trusted certificate" is one that the browser can chain up to a known root certificate. When you use the "openssl verify" you are supplying the root with the -CAfile argument. If you haven't supplied your root CA cert to Firefox then your root CA is not "known" and the results you're seeing are expected. You can install your root CA cert in Firefox in the Options / Privacy & Security / Certificates / View Certificates / Your Certificates / Import dialog. After installation of your root CA cert, that particular instance of Firefox will "trust" leaf certificates issued by your root CA.

However, other instances of Firefox will not know about your root CA, just as your instance does not now know about it now. That's why Firefox comes pre-installed with a selection of well known issuing CAs: so that web sites (and other servers that need a chain of trust) can acquire a leaf cert that is already trusted by the major browsers. In addition, the security techniques for strongly protecting your root CA are non-trivial. For most purposes other than a toy or hobby chain of trust, it's best to let the experts provide the leaf cert.

Does this help enough? If not, just ask. :wink:

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5074

PostPosted: Fri Jul 13, 2018 2:29 am    Post subject: Reply with quote

It's possible, or at least used to be, to teach the browser to accept your CA (at your own risk: I hope you've set correct DNSname constraints in it) by importing it, after which all leaf certs it signs should be automatically recognised without prompting. I vaguely remember this being much harder in Chromium though, so be warned.

They deliberately make getting there a huge pain in the ass and as confusing as possible, because it's a cross-platform browser, one of the platforms is windows, and windows is a circus of criminals and idiots that constantly find new ways to invoke Murphy's law.


On the other hand, lf you want the cert to work in well-behaved system software, that's different: you put the CA certificate in /usr/local/share/ca-certificates/$yourname.crt and then run update-ca-certificates as root.
Back to top
View user's profile Send private message
destroyedlolo
l33t
l33t


Joined: 17 Jun 2011
Posts: 642
Location: Close to Annecy (France)

PostPosted: Fri Jul 13, 2018 3:21 pm    Post subject: Reply with quote

Thanks for your replies : I'll test next week and let you know.

And yes, client are both m$ and Unixes as my goal is to protect some webservice call :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum