IE5 client certs
Hm.. I configured modssl to require a client cert to access a site SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ ) SSLVerifyClient require SSLVerifyDepth 5 Then I tried to create a client cert... openssl req -new -nodes -keyout clientcert.key -out clientcert.csr Then our CA signed the CSR openssl x509 -req -in clientcert.csr -out clientcert.crt \ -signkey ca-dff.key -CA ca-dff.crt -CAkey ca-dff.key \ -CAcreateserial -days 14 Our CA root cert is installed in the browser. I then dropped the clientcert.crt into the browser and installed it. When I now access the site IE5 opens a box and asks to choose the client cert. Unfortunately the box is empty!! I doesn't even show my Thawte Personal Cert! What am I doing wrong? -- Torsten __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE5 client certs
On Mon, Mar 19, 2001, Torsten Curdt wrote: [...] For each CA there is much more information besides the PEM data (which is the only thing in my ca-dff.crt). It's pretty verbose including the fingerprint as well as some plain text infos about the cert. [...] All text around the PEM data is just for information. It not parsed by mod_ssl/OpenSSL. It is there just for human reading. I wonder how I can create such a format for my CA cert. Do you have an idea? $ openssl x509 -text -noout -in file Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE5 client certs
Thanks! Works now... The client cert was in the wrong format... seems it needs to be .p12 not .crt! Thanks alot! :) -- Torsten As I told you, the things between -BEGIN CERTIFICATE- up to a -END CERTIFICATE- (including those tags) are the PEM encoded certificates. Everithing else is considered a comment. Actually you can create those comments with the help of openssl (http://www.openssl.org): openssl x509 -in mycert.crt -noout -text Or openssl x509 -in mycert.crt -inform DER -noout -text if your certificate is in DER format To convert a certificate from DER to PEM (native to mod_ssl) just do openssl x509 -in mydercert.crt -inform DER -out mypemcert and voila To just trust one CA, use the directive SSLCACertificateFile ca-dff.crt ENSURE your certificate is in PEM format (has -BEGIN CERTIFICATE-). If you later want to trust another CA, just cat the new cert to ca-dff.crt, always in PEM format. Once again, between -END CERTIFICATE- and the next -BEGIN CERTIFICATE- is all comment to mod_ssl, so dont worry about the missing info. Good luck Diego At 15:28 19/3/2001 +0100, you wrote: Ah! With the ca-bundle.crt now at least my thawte cert works... But since I want only OUR CA to be trusted I need just the ca-dff.crt instead of the ca-bundle.crt. But looking at the file I see very big differences in the file format. For each CA there is much more information besides the PEM data (which is the only thing in my ca-dff.crt). It's pretty verbose including the fingerprint as well as some plain text infos about the cert. Maybe it is sorted out because these infos are missing? I wonder how I can create such a format for my CA cert. Do you have an idea? Thanks -- Torsten Same thing happened to me. Then I configured a CA certificate file and things went straight. The idea is that when the SSL handshake takes place, the server asks for a certificate which he will consider valid. That is signed by a trusted CA. The server sends what HE considers to be trusted CA's to the browser, and the browser filters the installed certificates, and shows only those signed by one of the server trusted CA's. IE5 seems a little stupid.. and if no certificate pass this condition he just presents an empty dialog. Just create a text file and drop there all your trusted CA's in PEM format, (those that say -BEGIN CERTIFICATE- ) Just cat them all, one after another. You can even place comments in betweem then as mod_ssl will just parse from a -BEGIN CERTIFICATE- up to a -END CERTIFICATE-. Then add the directive SSLCACertificateFile certs/my_trusted_cas.crt Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the recently created file. Now just try again. mod_ssl distribution comes with a file named ca-bundle.crt containing the certificates for what netscape considers trusted CA's. You can use that one and add your ca-dff.crt in PEM format. Try yourself by adding and removing that entry and you'll see that when the browser ask you to select a certificate, the newly created cert will appear or not depending on the presence of 'ca-dff.crt' in that trusted CA's file of the server. Hope that helps you. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE5 client certs
Same thing happened to me. Then I configured a CA certificate file and things went straight. The idea is that when the SSL handshake takes place, the server asks for a certificate which he will consider valid. That is signed by a trusted CA. The server sends what HE considers to be trusted CA's to the browser, and the browser filters the installed certificates, and shows only those signed by one of the server trusted CA's. IE5 seems a little stupid.. and if no certificate pass this condition he just presents an empty dialog. Just create a text file and drop there all your trusted CA's in PEM format, (those that say -BEGIN CERTIFICATE- ) Just cat them all, one after another. You can even place comments in betweem then as mod_ssl will just parse from a -BEGIN CERTIFICATE- up to a -END CERTIFICATE-. Then add the directive SSLCACertificateFile certs/my_trusted_cas.crt Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the recently created file. Now just try again. mod_ssl distribution comes with a file named ca-bundle.crt containing the certificates for what netscape considers trusted CA's. You can use that one and add your ca-dff.crt in PEM format. Try yourself by adding and removing that entry and you'll see that when the browser ask you to select a certificate, the newly created cert will appear or not depending on the presence of 'ca-dff.crt' in that trusted CA's file of the server. Hope that helps you. Diego At 12:51 19/3/2001 +0100, you wrote: Hm.. I configured modssl to require a client cert to access a site SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ ) SSLVerifyClient require SSLVerifyDepth 5 Then I tried to create a client cert... openssl req -new -nodes -keyout clientcert.key -out clientcert.csr Then our CA signed the CSR openssl x509 -req -in clientcert.csr -out clientcert.crt \ -signkey ca-dff.key -CA ca-dff.crt -CAkey ca-dff.key \ -CAcreateserial -days 14 Our CA root cert is installed in the browser. I then dropped the clientcert.crt into the browser and installed it. When I now access the site IE5 opens a box and asks to choose the client cert. Unfortunately the box is empty!! I doesn't even show my Thawte Personal Cert! What am I doing wrong? -- Torsten __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diego Trtara [EMAIL PROTECTED] -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE5 client certs
Hm.. I configured modssl to require a client cert to access a site SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ ) SSLVerifyClient require SSLVerifyDepth 5 Then I tried to create a client cert... openssl req -new -nodes -keyout clientcert.key -out clientcert.csr Then our CA signed the CSR openssl x509 -req -in clientcert.csr -out clientcert.crt \ -signkey ca-dff.key -CA ca-dff.crt -CAkey ca-dff.key \ -CAcreateserial -days 14 Our CA root cert is installed in the browser. I then dropped the clientcert.crt into the browser and installed it. When I now access the site IE5 opens a box and asks to choose the client cert. Unfortunately the box is empty!! I doesn't even show my Thawte Personal Cert! What am I doing wrong? -- Torsten __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE5 client certs
On Mon, Mar 19, 2001 at 10:13:45AM -0300, Diego Tartara wrote: Same thing happened to me. Then I configured a CA certificate file and things went straight. The idea is that when the SSL handshake takes place, the server asks for a certificate which he will consider valid. That is signed by a trusted CA. The server sends what HE considers to be trusted CA's to the browser, and the browser filters the installed certificates, and shows only those signed by one of the server trusted CA's. IE5 seems a little stupid.. and if no certificate pass this condition he just presents an empty dialog. not trying to defend IE ;) but that behaviour basically seems reasonable to me, though an appropriate warning message instead of an empty box would be more informative, of course. AFAIK, it wouldn't make much sense sending a client certificate for which the server doesn't accept the CA that issued it. To put it differently, the CA that issued the client certificate would have to be contained in the server's list of accepted CAs, anyway (see SSLCACertificateFile or SSLCACertificatePath), along the same reasoning that the browser needs to accept the CA that issued the server's certificate... Erdmut Just create a text file and drop there all your trusted CA's in PEM format, (those that say -BEGIN CERTIFICATE- ) Just cat them all, one after another. You can even place comments in betweem then as mod_ssl will just parse from a -BEGIN CERTIFICATE- up to a -END CERTIFICATE-. Then add the directive SSLCACertificateFile certs/my_trusted_cas.crt Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the recently created file. Now just try again. mod_ssl distribution comes with a file named ca-bundle.crt containing the certificates for what netscape considers trusted CA's. You can use that one and add your ca-dff.crt in PEM format. Try yourself by adding and removing that entry and you'll see that when the browser ask you to select a certificate, the newly created cert will appear or not depending on the presence of 'ca-dff.crt' in that trusted CA's file of the server. Hope that helps you. -- Erdmut Pfeifer science+computing ag -- Bugs come in through open windows. Keep Windows shut! -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE5 client certs
Ah! With the ca-bundle.crt now at least my thawte cert works... But since I want only OUR CA to be trusted I need just the ca-dff.crt instead of the ca-bundle.crt. But looking at the file I see very big differences in the file format. For each CA there is much more information besides the PEM data (which is the only thing in my ca-dff.crt). It's pretty verbose including the fingerprint as well as some plain text infos about the cert. Maybe it is sorted out because these infos are missing? I wonder how I can create such a format for my CA cert. Do you have an idea? Thanks -- Torsten Same thing happened to me. Then I configured a CA certificate file and things went straight. The idea is that when the SSL handshake takes place, the server asks for a certificate which he will consider valid. That is signed by a trusted CA. The server sends what HE considers to be trusted CA's to the browser, and the browser filters the installed certificates, and shows only those signed by one of the server trusted CA's. IE5 seems a little stupid.. and if no certificate pass this condition he just presents an empty dialog. Just create a text file and drop there all your trusted CA's in PEM format, (those that say -BEGIN CERTIFICATE- ) Just cat them all, one after another. You can even place comments in betweem then as mod_ssl will just parse from a -BEGIN CERTIFICATE- up to a -END CERTIFICATE-. Then add the directive SSLCACertificateFile certs/my_trusted_cas.crt Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the recently created file. Now just try again. mod_ssl distribution comes with a file named ca-bundle.crt containing the certificates for what netscape considers trusted CA's. You can use that one and add your ca-dff.crt in PEM format. Try yourself by adding and removing that entry and you'll see that when the browser ask you to select a certificate, the newly created cert will appear or not depending on the presence of 'ca-dff.crt' in that trusted CA's file of the server. Hope that helps you. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE5 client certs
As I told you, the things between -BEGIN CERTIFICATE- up to a -END CERTIFICATE- (including those tags) are the PEM encoded certificates. Everithing else is considered a comment. Actually you can create those comments with the help of openssl (http://www.openssl.org): openssl x509 -in mycert.crt -noout -text Or openssl x509 -in mycert.crt -inform DER -noout -text if your certificate is in DER format To convert a certificate from DER to PEM (native to mod_ssl) just do openssl x509 -in mydercert.crt -inform DER -out mypemcert and voila To just trust one CA, use the directive SSLCACertificateFile ca-dff.crt ENSURE your certificate is in PEM format (has -BEGIN CERTIFICATE-). If you later want to trust another CA, just cat the new cert to ca-dff.crt, always in PEM format. Once again, between -END CERTIFICATE- and the next -BEGIN CERTIFICATE- is all comment to mod_ssl, so dont worry about the missing info. Good luck Diego At 15:28 19/3/2001 +0100, you wrote: Ah! With the ca-bundle.crt now at least my thawte cert works... But since I want only OUR CA to be trusted I need just the ca-dff.crt instead of the ca-bundle.crt. But looking at the file I see very big differences in the file format. For each CA there is much more information besides the PEM data (which is the only thing in my ca-dff.crt). It's pretty verbose including the fingerprint as well as some plain text infos about the cert. Maybe it is sorted out because these infos are missing? I wonder how I can create such a format for my CA cert. Do you have an idea? Thanks -- Torsten Same thing happened to me. Then I configured a CA certificate file and things went straight. The idea is that when the SSL handshake takes place, the server asks for a certificate which he will consider valid. That is signed by a trusted CA. The server sends what HE considers to be trusted CA's to the browser, and the browser filters the installed certificates, and shows only those signed by one of the server trusted CA's. IE5 seems a little stupid.. and if no certificate pass this condition he just presents an empty dialog. Just create a text file and drop there all your trusted CA's in PEM format, (those that say -BEGIN CERTIFICATE- ) Just cat them all, one after another. You can even place comments in betweem then as mod_ssl will just parse from a -BEGIN CERTIFICATE- up to a -END CERTIFICATE-. Then add the directive SSLCACertificateFile certs/my_trusted_cas.crt Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the recently created file. Now just try again. mod_ssl distribution comes with a file named ca-bundle.crt containing the certificates for what netscape considers trusted CA's. You can use that one and add your ca-dff.crt in PEM format. Try yourself by adding and removing that entry and you'll see that when the browser ask you to select a certificate, the newly created cert will appear or not depending on the presence of 'ca-dff.crt' in that trusted CA's file of the server. Hope that helps you. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diego Trtara [EMAIL PROTECTED] -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]