Hi Andrea, How do I structure the CA so that when I go to move it to my server and have pound use it to verify my pcks12 on the browser? Because I still get the "Peer does not recognize and trust the CA that issued your certificate. Error code: SSL_ERROR_UNKNOWN_CA_ALERT" message.
I followed the instructions as outlined in this article: https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ I have also went through this entire process: https://jamielinux.com/docs/openssl-certificate-authority/ And have even used this method outlined here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.6qjDXI9k.joHDgFxB.dpbs Let me make sure I have the steps right because this procedure works every time I use the certificate for the Cert directive. I create the Certificate Authority by creating the CA key. Then I create the CA certificate and sign it by the CA key. I place this CA.pem file into FireFox Authorities Manager. I set ClientCert 2 2 Then I move CA.pem to the servers Pound VerifyList and CAlist directory and point the CAlist and VerifyList path in the pound.cfg file to those CA.pem. Then I create a new browser key. Then create the browser certificate request Sign the browser certificate request with the above CA.pem. Then I use the above browser cert signed by the CA along with the browser key to construct the pkcs12 or .p12 file and then import it into Firefox "Your Certificates" manager. I restart the server and pound. Close out of browser and reopen browser once pound is up and running and try and access my server with the browser certificate signed my CA and using the pkcs12 certificate. Or am I doing something wrong here. I have no issues getting the Cert file to work. I do not want to use the basic Cert file because you can retrieve that file and use it in other programs to do DoS attacks or use it to decrypt the data sent. That is why I want to create a separate independent certificate/key so that even though they can get the basic cert that pound requires it is useless and in order to access the server they have to have the independent and internally created certificate to access my server through pound. If they do not have that certificate then they are kicked out. Hopefully I explained my issue and what I have done and what I am trying to accomplish. Joe you and a couple of others have tried to help me but everything he sent me has not helped. Maybe you or someone here after reviewing what I am doing and what I want to do can give me something else to try. Warren -----Original Message----- From: Bussi Andrea [mailto:bu...@mfn.unipmn.it] Sent: Friday, August 04, 2017 5:59 AM To: pound@apsis.ch Subject: Re: [Pound Mailing List] Follow-Up to help with Pound, Web browsers and Certificates On 08/03/2017 07:23 PM, Warren Perdue wrote: > Hi D, > > > I want to first verify I am doing this right. > > I create the CA key > Then create the CA cert and sign it using the CA key to create the CA > certificate. > Correct. The CA certs are self-signed. > Then I create the client key. > Then create the client certificate signed by the client key. > Wrong. You wanna make a client certificate request and have the CA sign it. Hope this helps, Andrea -- To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. Please contact ro...@apsis.ch for questions. -- To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. Please contact ro...@apsis.ch for questions.
