Hello Yngve, On Thu, 2005-15-09 at 12:27 +0200, Yngve Zackrisson wrote: > Hi > > I am still struggling with remoting and HTTPS:-). > After studying more I have a couple of questions: > > A) Server certificate (for Linux / Mono): > > On #75751 I questioned: > > 1) Is it posible to create the certificates with openssl in Linux > and use them in .NET (Linux and Mono on the server side > and Win32 and Microsoft .NET on the client side)?. > Is there any 'HOWTODO-resouces' on this?. > > and I got the answer: > > (1) you best bet is to create the certificate (using OpenSSL) in the > PKCS#12 format. This should make it easy to import on Windows and Mono > can deal with this format. > > Current question: > > On Mono I have problem with getting the private key. > > I am doing a test server application to check the https communication > (using a "Poupou's blog example and the XSP Web server as a base). > I have succeeded creating the .p12 format. > I also have the cert in DER (.cer) format and in .pem format. > I also have the key in .pem format. > On Mono I have problem with extraction of the private key from these files. > AFAIK, one can get the key from the .pvk format through the > PrivateKey.CreateFromFile method.
Yes but that's not the only - and definitively not the way if you're using PKCS#12. > But how can I get the key in the .pvk format ?. The whole point of using PKCS#12 is to avoid the less-secure PVK format. > Is there any other way to get the key?. You can get a list of the private keys (there can be more than one) available in the PKCS#12 file by using the Keys property. > B) Server certificate to the Mono / Linux store: > > Just checking if I got things right: > > I user the command: > > $ mono /usr/lib/mono/certmgr.exe -add -c -m CA cacert.cer > > $ mono /usr/lib/mono/certmgr.exe -add -c -m Trust server-certkey.cer You should have a certmgr script (that calls mono on the installed certmgr.exe) that would be simpler to type. > to load the CA cert (cacert.cer with in DER format) and > to load the server cert > (server certificate request are first signed and > then the server-cert.pem and server-key.pem are concatenated > with the cat command to server-certkey.pem > witch is then converted to server-certkey.cer in DER format). ??? server-cert.pem should contain your server certificate. DON'T CONCATENATE your private key with it. The certificate store isn't designed to keep private keys safe. > The CN should be the same as hostname. yes > Do you find any error in the above procedure? No. The Trust is done on a self-signed (root) certificate - which is generally a CA certificate (non self signed certificates goes into the CA store). _Assuming_ that your CA certificate is self-signed then all you have to do is: certmgr -add -c -m cacert.cer The server certificate doesn't have to be in the store as you supply it to the server. > Does the Mono SSL handle incomming httprequests automatically > or do I have to handle (for instance) the authentication in > the custom channel? (If so, any code to look at? XSP?). Mono's SSL doesn't (directly) understand HTTP - it sits lower in the network stack. Recent XSP versions are SSL enabled. > C) Client side certificate handling in Win32. > > I use "HttpWebRequest.ClientCertificates.Add(x509Certificate)" > to set the client certificate. > > Below you wrote: > > > Using client certificates in this (remoting) setup may prove a little > > more challenging as Fx1.x X509Certificate class has no notion of a > > private key associated with the certificate. This may be fixed by doing > > a custom remoting channel that use Mono.Security.dll (where you'll have > > a callback to supply the private key for your client certificate). > > > > Since I am no expert in this area (just have to try to be one > due to the current lack of SSL security .NET Remoting) > I just wonder if anyone can direct me to what to do. > I have read (implemented) the MS articles about custom channels > and MS authentication, so I pretty much understand custom channels. > I ques that it is only the authentication I have to try to > implement in the custom channel? and I'm no expert in remoting ;-) but I would try setting up a "classic" SSL channel first - then worry about about client certificates. At least at this stage you'll have some code to show to get more help. > Are there any open source code (.NET Mono C#) - about > client side certificate authentication - I can download and read?. The XSP version released with 1.1.9 supports client-side certificates. > > > > Regards > > > > Yngve Zackrisson > > > > On Wed, 2005-09-07 at 13:39, Sebastien Pouliot wrote: > > Hello Yngve, > > > > On Wed, 2005-07-09 at 11:15 +0200, Yngve Zackrisson wrote: > > > Hi all. > > > > > > I am doing an remoting application > > > and have a Win32 Client with MS .NET v1.1 > > > and a Linux (Fedora Core 3 x86) Server with Mono 1.1.8.3. > > > > > > The different clients will call the remote objects methods > > > on the server. > > > Among other things the clients will upload a file to the server. > > > I (now) only uses "normal" calls to upload a file - > > > no "callbacks" any more. > > > The server will be located at our place. > > > The clients will be users of "services", running on our server. > > > The remote objects is currently hosted by an Console application, > > > but is planned to be hosted by a Windows service (on Linux / Mono :-)). > > > I have gotten this working with HTTP. > > > > > > I now will try to do this with HTTPS (on port 443), > > > to get a secure tunnel between the client and the server. > > > > > > We would like to use SSL with both encryption and authentication, > > > through x509 certificates. > > > The certificates should (preferable) be self signed. > > > > > > >From my testings and readings I have found that: > > > 1) My Win32 client uses Tls. > > > 2) The Win32 client certificates should be: > > > a) Set in the ClientCertificates property of the HttpWebRequest. > > > b) The client certificate must be installed in > > > the LOCAL_MACHINE registry hive. > > > (Se: KB895971 at http://support.microsoft.com/?kbid=895971). > > > 3) .NET prefer the DER format (called .cer) > > > but may also use the .p12 format. > > > 4) From the Microsoft .NET documentation, > > > I have found support only for certificate authentication > > > through ASP.NET/IIS-hosting - In MS .NET v1.1. > > > 5) There is some support for SSL in Mono, > > > and I have succeeded to install certificates in Mono through certmgr > > > (but I may have done it wrong. No real test yet). > > > > > > > What I wonder is weather this approach gonna work with .NET Remoting > > > and with different Win32 MS .NET clients calling a Linux Mono server?. > > > > Using client certificates in this (remoting) setup may prove a little > > more challenging as Fx1.x X509Certificate class has no notion of a > > private key associated with the certificate. This may be fixed by doing > > a custom remoting channel that use Mono.Security.dll (where you'll have > > a callback to supply the private key for your client certificate). > > > > > Do I have to customize any part of the SSL handshake?. > > > > No. SSL/TLS is a negotiating protocol. You supply the certificates and > > the rest gets done (well pretty much). > > > > More details on SSL are available in the FAQ > > http://www.mono-project.com/FAQ:_Security > > > > > On the remote objects methods, I would like to have > > > access checks on the users .NET Roles. > > > Is it possible to impersonate the principal and add .NET Roles > > > to that principal when the remote objects is hosted in > > > a Console application or a Windows service (in Linux / Mono)?. > > > > You can't impersonate (in the win32 way) if your communication channel > > doesn't support it (e.g. SSPI) - so this works only for _some_ win32 > > stuff. > > > > You can always "mimic" the impersonation by transferring the identity in > > a custom remoting channel (and setting the IPrincipal of the remote > > object yourself). There are a lot of example for doing this on the net. > > Alternatively you can create a new IPrincipal instance based on the > > client certificate used by client client. > > > > Lastly when using roles be sure to use imperative demands (e.g. > > IPrincipal.IsInRole) and not declarative security attributes > > (PrincipalPermission) unless you activate the security manager > > (--security). > > http://www.mono-project.com/CAS > > > > > Further, I am not really sure about how to set up the certificates > > > on the Mono server for SSL. > > > > See the FAQ and/or do a "man certmgr" in a terminal. > > > > > I assume the the certificates should be placed in the machine store. > > > > That depends on what will be using the certificate. > > > > > I have the certificates in DER (.cer) format. > > > Should the CA certificate be placed in the CA store > > > or in the Trust store?. Any more to think about?. > > > > Self-signed certificates goes to the trusted store. > > The CA store is for intermediate CA certificates. > > > > > I assume that the server certificate should be placed > > > in the Trust store (of the machine store). > > > I hope this is right. > > > > The machine store is handy if you don't know under which identity (user) > > your program is gonna be executed (or if it may be executed by multiple > > users on the same system). Otherwise keep your stuff in the user store. > _______________________________________________ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
