Problem facing to generate client and server certificates and key files: I am not able to generate following files using simpatica: 1. server pem encoded cert file 2. server pem encoded key file 3. client pem encoded cert file 4. server pem encoded key file
I am able to create certificate using Public-->Require new certificate option and it is listed on CA--> List pending request option , when i clcik on any individual certificate listed on List pending request page , it is asking for CA private key password and usage (client Auth,server Auth), after submitting it will list in CA--> List signed certificates option.If I have to choose one client Auth and one server Auth, it will listed in the above page but how to download these two certificates and are these two be server pem encoded cert file and client pem encoded cert file, if yes then how to download these two and where is other two client and server pem encoded key files , how to generate them? On Tue, Jul 31, 2012 at 3:17 PM, Amit <amit.khaw...@gmail.com> wrote: > Hi Michele, > Still I am not able to achieve X509 authentication, I am able to generate > following files using CA menu: > cacert.key (CA private key) > CA certificate request (cacsr.pem) > CA self signed certificate(cacrt.pem) > > there is one more menu called Public which is having options "Get CA > certificate","Get CA certificate revocation list" and "Require New > certificate" > > I tried using Required New certificate option and it generates some > certificate something like below: > Certificate Request for > > /C=ZZ/CN=ffdfdf/L=YYYYY/O=ACME/ST=XXXXX/emailAddress=rt...@dfgdg.com/SN=jhjhjhj/GN=fghfhfh/OU=Certification > Authority > > -----BEGIN CERTIFICATE REQUEST----- > MIIC+DCCAeACADCBszELMAkGA1UEBhMCWloxDzANBgNVBAMTBmZmZGZkZjEOMAwG > A1UEBxMFWVlZWVkxDTALBgNVBAoTBEFDTUUxDjAMBgNVBAgTBVhYWFhYMR4wHAYJ > KoZIhvcNAQkBFg9ydGVldEBkZmdkZy5jb20xEDAOBgNVBAQTB2poamhqaGoxEDAO > BgNVBCoTB2ZnaGZoZmgxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5 > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo9PxvzHv/NAqYsUxm3YD > MvW6GohKWPrHAP8XftRthBu4hDWUKT0IjOF6Sva4Pi7PkRuA9z2HfKVDETs5wy3o > InvPcmjhUSTGynNI95AkXrGoBsiIlQwPNbBtRNLRA870OPDAlM04LQEj4+tIndtE > jrNliOseAp286opRqQbA3bnB2wY4HKHxe3c118qeTmuv2B5g8fwbmADkp8N/PKk5 > Ami7d31Ava41m8x4k1hJ9SBitimmiOLs0Ua37BY/rtm57g6m0PqXhlPWvaBtnfr7 > 6q+E9ram6t9zWGFdNedfQjhGvyCUEMieXlRhCOC9J/6/al0WJ3mln02gY/sSS3TF > 8QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAJIKf7kwxVGvlrATk6DPhu7dqEjw > iAL41XTNjlR2780/wDBR5yUiCTtXFFuqAPagAn9i/qjb2gC5jZZmbUOhgYSyZpp/ > qznZFTg9MsVdszC/LBLkRpDCxqLm1m61WCi5qmHGq9nN55rtdwiJsglQkUwvFeUK > SaMY95U+qakWqveCGzcmCoWir9zWKpBH1/Z89r5ktAsi7CdH9RdGQJeM8K8lBK3F > fqhakKXiA+afPFnhwK+KSisJGJl573ocHXGL/obhuOPj0uunfgxIBxION4nVDPCn > CTz7or24EltIZ5/e6T9PgvBbfUeMJ8WQEKVFlaqaJ+gAtl7FDHfOQmmUXN4= -----END > CERTIFICATE REQUEST----- > > > what is this certificate and where it is stored because i checked in > private/ssl folder and i din't find any other certificate generated ? > How to generate server and client private keys and certificates? as per > your previous mail simaptica should generate following certificates: > > 1. generate ca priv key + self signed certificate > 2. generate server priv keys + certificates signed by the above ca > certificate > 3. generate client priv keys + certificates signed by the above ca > certificate > > > but I am not able to generate above 2. and 3. so pleae guide me to > generate the same. > > > Thanks, > Amit > > >> >> >> On Thu, Jul 26, 2012 at 10:50 AM, Amit <amit.khaw...@gmail.com> wrote: >> >>> Thanks Michele,I am going to generate keys using simpatica, I will let >>> you know if i face any problem. >>> >>> Thanks, >>> Amit >>> >>> >>> On Wed, Jul 25, 2012 at 7:01 PM, Michele Comitini < >>> michele.comit...@gmail.com> wrote: >>> >>>> 2012/7/25 Amit <amit.khaw...@gmail.com>: >>>> > Michele, >>>> > >>>> > I have gone through the X509_Auth class and its methods : >>>> > >>>> > login_form >>>> > >>>> > login_url >>>> > get_user >>>> > >>>> > But not able to visualize how to use this class in my >>>> model/controller, I >>>> > just write below what I understood, please confirm >>>> > whether I understood correctly or not. >>>> > >>>> > >>>> > My requirement is : I have one web service method add() in controller >>>> > default.py , I just want to enable x509 authentication >>>> > so for that purpose i will use simpatica to generate keys and >>>> certificates >>>> > then in model class db.py I will use below code: >>>> > >>>> > >>>> > """ >>>> > Login using x509 cert from client. >>>> > >>>> > from gluon.contrib.login_methods.x509_auth import X509Account >>>> > auth.settings.actions_disabled=['register','change_password', >>>> > >>>> > >>>> 'request_reset_password','profile'] >>>> > auth.settings.login_form = X509Account() >>>> > >>>> > """ >>>> > >>>> > >>>> > and then in add method I will put @auth.requires_login() annotation . >>>> > >>>> > My doubt: >>>> > 1. how to configure certificate with Rocket and apache server? >>>> > 2. how to make call of web service method with private keys from the >>>> client? >>>> > >>>> > 3. I din't find X509Account class instead of that I found X509Auth >>>> class, so >>>> > is it the same, if yes then I need to create >>>> > >>>> >>>> 1 rocket: >>>> python web2py.py --ssl_certificate=<server pem encoded cert file> >>>> --ssl_private_key=<server pem encoded key file> --ca-cert=<CA >>>> certificate pem encoded file> >>>> apache see mod_ssl config: >>>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html >>>> >>>> You can use a single file pem encoded containing: server cert, server >>>> key, CA cert. Pass it to all the options. >>>> >>>> 2 What is the client? With curl: >>>> curl --cert <client pem encoded cert + key file> ... >>>> >>>> With python: >>>> you can use pycurl or httplib >>>> (http://docs.python.org/library/httplib.html) see their docs. >>>> >>>> >>>> 3 You did the right thing using X509_Auth. The error in the comment >>>> is corrected in trunk. >>>> The interesting part that you may want to override in a child class >>>> is the get_user() method. Look how certificate properties are mapped >>>> to the auth.user record (the profile variable that). You may override >>>> those to fit your needs. >>>> >>>> mic >>>> >>>> >>>> >>>> > >>>> > auth.settings.login_form = X509Auth() instance ? >>>> > >>>> > >>>> > >>>> > Thanks, >>>> > Amit >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > On Wed, Jul 25, 2012 at 2:28 PM, Michele Comitini >>>> > <michele.comit...@gmail.com> wrote: >>>> >> >>>> >> ---- >>>> >> simpatica >>>> >> >>>> >> - generate ca priv key + self signed certificate >>>> >> - generate server priv keys + certificates signed by the above ca >>>> >> certificate >>>> >> - generate client priv keys + certificates signed by the above ca >>>> >> certificate >>>> >> >>>> >> The client and server certificate are generated after compilation of >>>> a >>>> >> form that requires the user to assign a password to protect the >>>> >> private key. >>>> >> The certificate + private keys are encoded in pkcs12 format >>>> >> downloadable to a browser or to be unpacked with openssl or similar >>>> >> tools after providing the above password. Remeber that if you loose >>>> >> the password you cannot open the pkcs12. There is a recovery >>>> >> mechanism in simpatica since the private keys are also encoded with a >>>> >> randomly generated secret that is crypted with the ca private key. >>>> >> It also send emails to email associated with the client informing >>>> that >>>> >> a certificate is ready to download. >>>> >> >>>> >> ----- >>>> >> Sample code >>>> >> >>>> >> Just look at gluon/contrib/login_methods/x509_auth.py. Look at the >>>> >> docstring in the X509_Auth class and put that code in your model to >>>> >> configure authentication with x509. >>>> >> >>>> >> Use the @auth.requires_login() annotation as you would with any >>>> action >>>> >> requiring authentication. It is explained in: >>>> >> >>>> >> >>>> http://web2py.com/books/default/chapter/29/10?search=rest#Access-Control >>>> >> >>>> >> >>>> >> mic >>>> >> >>>> >> >>>> >> 2012/7/25 Amit <amit.khaw...@gmail.com>: >>>> >> > sure Michele, let me go through the code,If i am not wrong >>>> simpatica is >>>> >> > to >>>> >> > generate the certificate file for the client and if you are having >>>> any >>>> >> > sample code to use x509 in case of web service then please do >>>> share with >>>> >> > me. >>>> >> > >>>> >> > Thanks, >>>> >> > Amit >>>> >> > >>>> >> > >>>> >> > On Wed, Jul 25, 2012 at 12:34 PM, Michele Comitini >>>> >> > <michele.comit...@gmail.com> wrote: >>>> >> >> >>>> >> >> Amit >>>> >> >> If you need advice with simpatica don't worry to ask. I never >>>> had time >>>> >> >> to >>>> >> >> write some documentation so you have to look at the code and/or >>>> ask... >>>> >> >> >>>> >> >> mic >>>> >> >> >>>> >> >> >>>> >> >> Il giorno mercoledì 25 luglio 2012 05:14:52 UTC+2, Amit ha >>>> scritto: >>>> >> >>> >>>> >> >>> Thanks Michele and Derek..nice post , i am looking exactly the >>>> same :) >>>> >> >>> >>>> >> >>> On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini >>>> >> >>> <michele.comit...@gmail.com> wrote: >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> This is very similar to what TSL accomplishes with x509 >>>> certificates. >>>> >> >>>> There is a slight difference, the server does not own a public >>>> key >>>> >> >>>> for each >>>> >> >>>> client: it verifies that the client owns an x509 certificate >>>> signed >>>> >> >>>> by the >>>> >> >>>> correct certification authority. So no need to store public >>>> keys. in >>>> >> >>>> any >>>> >> >>>> case AFAIK in public/private key algorithms the private key >>>> always >>>> >> >>>> allows >>>> >> >>>> generation of the corresponding public key, not the contrary of >>>> >> >>>> course. >>>> >> >>>> >>>> >> >>>> To accomplish what you need in the simplest way you have to: >>>> >> >>>> >>>> >> >>>> - create a certification authority with self signed certificate >>>> >> >>>> - create certificate for you webserver signed with the private >>>> key of >>>> >> >>>> the certification authority above. >>>> >> >>>> - configure your webserver to require a client certificate (with >>>> >> >>>> rocket >>>> >> >>>> look at --ca-cert option) >>>> >> >>>> - In case you need to know some infos about the connecting >>>> client as >>>> >> >>>> reported in its certificate you can use x509_auth.py to use x509 >>>> >> >>>> authentication and configure your REST action with >>>> >> >>>> @auth.requires_login(). >>>> >> >>>> This will give you access to information contained in the >>>> >> >>>> certificate such >>>> >> >>>> common name or serial id. To customize you can extend the >>>> X509_Auth >>>> >> >>>> class. >>>> >> >>>> >>>> >> >>>> To generate test certificates fast you can use simpatica as >>>> Derek >>>> >> >>>> correctly suggests. >>>> >> >>>> >>>> >> >>>> mic >>>> >> >>>> >>>> >> >>>> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha >>>> scritto: >>>> >> >>>>> >>>> >> >>>>> Hi, >>>> >> >>>>> I have to provide public/private key authentication for >>>> accessing >>>> >> >>>>> web >>>> >> >>>>> service (REST) from client in my web2py application.How to >>>> achieve >>>> >> >>>>> it? >>>> >> >>>>> >>>> >> >>>>> Scenario: >>>> >> >>>>> 1.Each client will have unique private key which will be sent >>>> to the >>>> >> >>>>> server alongwith request. >>>> >> >>>>> 2. Server has to authenticate private key using public >>>> key(unique >>>> >> >>>>> for >>>> >> >>>>> each client) and then allow to access the web service method. >>>> For >>>> >> >>>>> e.g. >>>> >> >>>>> suppose one client say X has requested for web service "add()" >>>> so >>>> >> >>>>> server has >>>> >> >>>>> to first validate the public key with client's private key and >>>> if >>>> >> >>>>> validation >>>> >> >>>>> is successful then allow to access the web service "add()". >>>> >> >>>>> >>>> >> >>>>> Challenges: >>>> >> >>>>> where to store public key of each client?we can't store it in >>>> the db >>>> >> >>>>> because server can't access db before validation of web service >>>> >> >>>>> method.So >>>> >> >>>>> will it be store somewhere in PC(where server is running)?if >>>> yes >>>> >> >>>>> then how >>>> >> >>>>> and which format? >>>> >> >>>>> >>>> >> >>>>> >>>> >> >>>>> NOTE: Here Server will be completely written in web2py and >>>> client is >>>> >> >>>>> separate application running on the hardware device. >>>> >> >>>>> >>>> >> >>>> -- >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> >>> >>>> >> >>> >>>> >> >> -- >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> > >>>> >> > >>>> >> > -- >>>> >> > >>>> >> > >>>> >> > >>>> >> >>>> >> -- >>>> >> >>>> >> >>>> >> >>>> > >>>> > -- >>>> > >>>> > >>>> > >>>> >>>> -- >>>> >>>> >>>> >>>> >>> >> > > --
