OK, I've read through the sw-mod-ssl mail archive.
So, I am the only one having this problem (?)
I must be doing something wrong...
Configuration:
linux/intel RedHat (5.1 there)
apache-mod_ssl-1.3.3-2.0.13-1 (from ftp.replay.com)
SSLeay=0.9.0b-3 (same site)
pcks12-prog-052 (latest c-sourcefile Aug 28 1998)
ca-fix (ca-fix.c Sep 14 1998)
I have not tried upgrading to a newer mod_ssl yet.
Summary of the problem:
I can't create a user certificate for doing user verification:
netscape refuses to send the client certificate, or even
to recognise it as suitable for client verification
A Thawte Freemail X509 generic certificate does work fine, on the
same apache-mod_ssl configuration.
Certificates differ in:
Version, KeyUsage extension, BasicConstraints, Thawte sxnet extension.
Now, the long story ..
I have:
- made a Root CA, self signed, and patched it:
$ ca-fix -in ca-root.crt.orig -inkey privkey.pem \
-caset -nscertype 0x7 -pathlen 2 | \
ssleay x509 -days 2048 -signkey privkey.pem -out ca-root.crt
- loaded it into NS Communicator 4.5 (x-509-ca-cert)
- trusted it, verified OK
Then:
- created a site certificate, configured apache_mod-ssl
- tried with SSLVerifyClient none: works OK
- turned on client verification: ns alert 'no user certificate', that's
right
Then:
- produced a HTML form for netscape to do its KEYGEN trick,
- created cgi support that essentially does (with nsCertType set to
0xA0)
$ ssleay ca -spkac whatever.req -config client.cnf
- load result into NS (x-509-user-cert)
- verify OK
- can't connect (still 'no user certificate')
- note that S/MIME works great with these certs
Then:
- killed all *.db files in Netscape profile, reloaded ca-root.crt
- retried, with no nsCertType in the ca config
- still 'no user certificate'
Then:
- registered at Thawte for a free generic X509 certificate,
- created a nice & simple CSR with mkcert.sh
- posted this CSR into the Thawte web form
- fiddled with the returned chain data in pkcs7 format:
$ ssleay enc -d -a -in chain.pkcs7 | \
ssleay pkcs7 -inform DER -print_certs
- divided it in:
user cert - intervening cert + root cert
- assembled these pieces and the original user.key together with pkcs12
- imported the result into Netscape
- made sure the Thawte certifier was known to mod_ssl
- and **CONNECTED** using client verification
Then:
- killed all *.db files in Netscape profile, reloaded ca-root.crt
- tried to ca-fix the output of the cgi stuff:
$ ca-fix -in ca.db.certs/F0.pem inkey client.key -caunset -bscrit \
-Cext keyUsage digitalSignature -out newtry.crt
- which results in netscape verify error 'not certified for Unknown
Usage'
OK, that last one was a shot in the dark, just trying to make the
resulting certificate look like this Thawte cert.
Along the way, I've also tried Ralf Engelschall's solution found here
in the mail archive
Re: client certificates (again)
Date: Tue, 27 Oct 1998 15:52:15 +0100
containing a derative of mkcert.sh, but, not a valid personal
certificate
to netscape.
I'll include these:
My working Thawte Freemail certificate:
-----BEGIN CERTIFICATE-----
MIIC0jCCAjugAwIBAgICWqowDQYJKoZIhvcNAQEEBQAwgbkxCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMRow
GAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEpMCcGA1UECxMgVGhhd3RlIFBGIFJT
QSBJSyAxOTk4LjkuMTYgMTc6NTUxNjA0BgNVBAMTLVRoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBSU0EgSXNzdWVyIDE5OTguOS4xNjAeFw05ODEyMTgxMjIyMDdaFw05
OTEyMTgxMjIyMDdaMEIxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
HzAdBgkqhkiG9w0BCQEWEG5pZWxzQG5ldGJveC5vcmcwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBALFpptB9O5Bws2ghlRlGoW+Z4ZwxjCGWpOCNpn6ojtG+KXeF
i8F78pptqxzRbD14sHSSXJwwKipyQp6KXRyc8inQB4mnJvpgB8+h/YAJuROY5yn3
2bURtW31IQLAxQ7lMJu/valQeX8OcJ7e5brBf5S5GYbkoO+BLvZrsDHXSEgXAgMB
AAGjXzBdMA4GA1UdDwEB/wQEAwIFoDAcBgUrZQEEAQQTMBECAQAwDDAKAgEDBAVu
aWVsczAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFP4+YJxrjA+w2DPGysYeWLBx
OLXgMA0GCSqGSIb3DQEBBAUAA4GBAG2q434y7OGXs8C0CW/94/M1Ab69wNG0NLqD
NAZO4gY8LrXrLX7kKbdl88zRN4GdMYDds+qamzPvAYRLhVzKcsRQw6kVpCO/2ep9
Wnha+pQmRFJ5YFtF/YJdyMLU8X6iz+MIaVqo88eOI3mcpBZxm3rXtPs9dbaZlw0g
PDeG9i7r
-----END CERTIFICATE-----
Example of broken client certificate, before ca-fix
-----BEGIN CERTIFICATE-----
MIICIjCCAYsCAgDwMA0GCSqGSIb3DQEBBAUAMFkxCzAJBgNVBAYTAk5MMRMwEQYD
VQQKEwpvcmcubmV0IGJ2MRMwEQYDVQQDEwpvcmctbmV0IENBMSAwHgYJKoZIhvcN
AQkBFhFvZmZpY2VAb3JnLW5ldC5ubDAeFw05ODEyMTgxOTA2NTJaFw05OTAyMTYx
OTA2NTJaMFkxCzAJBgNVBAYTAk5MMRMwEQYDVQQKEwpvcmcubmV0IGJ2MRQwEgYD
VQQDEwtOaWVscyBQb3BwZTEfMB0GCSqGSIb3DQEJARYQbmllbHNAbmV0Ym94Lm9y
ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyb83Pb22nODPY08GAx607VMb
PLBe6fZ2HL/SKTdHPt24cVAigTIIHMMfqqa34Rcq4nlCITYVC3kAJ9J5OJFYvqCf
TlO82ffQwNDSwmSG8mm1rpJJdYmzl5LHz+WkzBKuWMVw6N050i8bUjr9v4U7dXW9
hN/Y6jIa0Q8/ixXEfGECAwEAATANBgkqhkiG9w0BAQQFAAOBgQAsjZZug0kBm5R6
FcFKrN/AnnNcpIS/FSp4mp+eauTkPzvVJj1j46U0yfZAgNaZEYq1DuP/SW0pvRNP
XqxaghOEUf4iEnnGA1rJ7G66DApG+cSjHMi4Ao4mSw6iFjpm3hRp21Rnt1VCRavI
OmuYuHn708kLoCk+qUMk9O1fCZZr3w==
-----END CERTIFICATE-----
The 'org-net CA' self-signed, patched, certificate (client.crt)
-----BEGIN CERTIFICATE-----
MIICTjCCAbegAwIBAgIBADANBgkqhkiG9w0BAQQFADBZMQswCQYDVQQGEwJOTDET
MBEGA1UEChMKb3JnLm5ldCBidjETMBEGA1UEAxMKb3JnLW5ldCBDQTEgMB4GCSqG
SIb3DQEJARYRb2ZmaWNlQG9yZy1uZXQubmwwHhcNOTgxMjE2MTM1NjE2WhcNMDQw
NzI1MTM1NjE2WjBZMQswCQYDVQQGEwJOTDETMBEGA1UEChMKb3JnLm5ldCBidjET
MBEGA1UEAxMKb3JnLW5ldCBDQTEgMB4GCSqGSIb3DQEJARYRb2ZmaWNlQG9yZy1u
ZXQubmwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKIdajESY4toijKRj/iQ
Ul2lsGi0t4CMC9XYZm7tOPJJUYFDeQmaK2/Z6RVAdsHmFtdd7CnRgP7PkvOT1fyc
LnPCmTP9MPwKGwNpzhlULRXw2HU362G97LTARRuxS2FCK1fiM1h+eFjZWR+KmRIi
KV6ih6erxaXLjLtiKbSL0dV/AgMBAAGjJjAkMA8GA1UdEwQIMAYBAf8CAQIwEQYJ
YIZIAYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBBAUAA4GBABDB9nOJ36B1XGZWH80B
V9Z7Z1ywMCyll0Ege7M1cCrug3FmxTRRg9X+aZmBBIFXlXi+KoUDb7+297pATp2t
PpPlS507n7o0sER4YJmj+LhwjnQYonUmFvqhiz3Iz6baDH+LGBJXdd1Ov5YDmsRG
nr/udpGjSMm2HXLxFzJAcwX9
-----END CERTIFICATE-----
the 'client.cnf' file in the signing environment
probably, all defaults and prompts could be left out
when using it only with 'ca -spkac ...'
---start-client.cnf---
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = ca-client
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = src/client.crt
private_key = src/client.key
default_days = 60
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
#x509_extensions = x509v3_extensions
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ x509v3_extensions ]
#nsCertType = 0xA0
####################################################################
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = org.net bv
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (fullname, sslhost,
username)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
---end-client.cnf---
S/MIME Cryptographic Signature
