Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Help needed using GNUTLS for PKCS12 client certificates
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4630
Location: Theux (Belgium)

PostPosted: Thu Aug 29, 2013 5:39 pm    Post subject: Help needed using GNUTLS for PKCS12 client certificates Reply with quote

Hi again.

I'm struggling with GNUTLS certtool to export a PK#CS12 client certificate for use in Firefox. _ALL_ my attempts yielded an infamous «The PK#CS12 operation failed for unknown reasons»... :evil:

So far I
  1. generated a CA certificate authority key and certificate: it works
  2. imported my self-signed CA certificate into Firefox: it works
  3. generated a server certificate/key pair for my local web server, based on that CA: it works.
  4. browsed my local web server with the new server certificate: it works (i.e. I get no SSL warning, as expected).
I then generated a client certificate/key pair (using the above the CA) for authenticating myself against my local web server. I could verify the certificate with and without the chain, all are valid.
cat clients/x509-myself.crt x509-ca.crt | certtool -e:

Certificate[0]: C=BE,O=...,CN=myself,UID=...
   Issued by: C=BE,... (Root CA)
   Verifying against certificate[1].
   Verification output: Verified.

Certificate[1]: C=BE,O=...
   Issued by: C=BE,O=...
   Verification output: Verified.

Chain verification output: Verified.

Then I tried to [guess how to] generate a PKCS12 file from the above client certificate that I would import in Firefox; that fails with the above error right after I typed the password.

Code:
certtool --load-ca-certificate x509-ca.crt --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outder --outfile clients/x509-myself.p12
fails to be imported in Firefox.
Code:
certtool --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outder --outfile clients/x509-myself.p12
fails to be imported in Firefox.
Code:
certtool --load-ca-certificate x509-ca.crt --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outraw --outfile clients/x509-myself.p12
fails to be imported in Firefox.
Code:
certtool --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outraw --outfile clients/x509-myself.p12
fails to be imported in Firefox.

I'd be grateful for any hint or suggestion for I'm definitely stuck :( .

UPDATE 2013-08-29: I actually could go further... with OpenSSL!
Code:
openssl pkcs12 -export -out clients/x509-myself.p12 -inkey clients/x509-myself.key -in clients/x509-myself.crt -name MySelf
for a client certificate alone or
Code:
openssl pkcs12 -export -out clients/x509-myself.p12 -inkey clients/x509-myself.key -in clients/x509-myself.crt -certfile x509-ca.crt -name MySelf
for a client certificate that also embeds the CA certificate (not sure this is the right way to go though, just a guess from what I read about client certificates and web browsers).

So it finally looks like certtool (2.12.23-r1) is inappropriate (with my current knowledge of it) for creating well-formed PKCS12 certificates for Firefox (22)...

Also note that in both cases, the PKCS12 certificate exported by OpenSSL «cannot be verified for unknown reasons», too as per Firefox... :roll:

UPDATE 2013-08-30: I've found why verifying my client certificates failed. The following keywords must be present in the template given to certtool:
client.conf:
signing_key
encryption_key

Re-created my certificate and exported it again with openssl and now client identification is working with my web server.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root”
Back to top
View user's profile Send private message
scriptkitty
n00b
n00b


Joined: 20 Sep 2013
Posts: 1

PostPosted: Fri Sep 20, 2013 11:04 pm    Post subject: Reply with quote

I think I found part of the problem. If you do

Code:
 certtool --infile client-cert.pem -i


you see the lines named "Public Key Id" and "SHA-1 fingerprint".

If you extract the pkcs information from both the openssl and certtool-generated pkcs12 files with:

Code:
certtool --p12-info --inraw --infile=openssl-generated-client.p12

Code:
certtool --p12-info --inraw --infile=certtool-generated-client.p12


You will see that the openssl p12 file has the "SHA-1 fingerprint" as the Key Id, whereas the certtool p12 file has as Key ID the "Public Key Id". I do not know how to fix this or if this is even a problem.
Back to top
View user's profile Send private message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4630
Location: Theux (Belgium)

PostPosted: Sat Oct 05, 2013 1:22 pm    Post subject: Reply with quote

Thanks for your lights, scriptkitty. Sounds interesting. Don't know if I can figure out what to do but thanks for the explanation and taking the time to investigate.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root”
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum