Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Can't get Client certificates to work
2013-03-29, 09:58
Post: #11
RE: Can't get Client certificates to work
(2013-03-28 22:04)robinsmidsrod Wrote:  Maybe I'm missing something here, but I can't see any indication that you've specified _intention_ for the server and client sertificates. Mustn't they be specified as TLS Server/Client-type certificates? I'm not exactly sure how that is done with openssl, but unless those flags aren't specified in a config file not included (like ca.cnf or something else) I'm going to assume that might be a possible problem. BTW: Using curl with the client certificates against your server (which has ssqlrequire set) should make it quicker to verify that your setup works.

Hello Robin!

Thank you for your answer.
I have user the ca.cnf as specified here ipxe crypto with the exception of the parameter "default_md" which doesn't accept the value of "default", so i set it to sha1. Here is the ca.cnf I use:

Code:
[ ca ]
default_ca                        = CA_default

[ CA_default ]
serial                            = ca.srl
database                        = ca.idx
new_certs_dir                    = signed
certificate                        = ca.crt
private_key                        = ca.key
default_days                    = 3650
default_md                        = sha1
preserve                        = yes
#nameopt                        = default_ca
#certopt                        = default_ca
policy                            = policy_anything
unique_subject                    = no

[ policy_anything ]
countryName                     = optional
stateOrProvinceName                = optional
organizationName                = optional
organizationalUnitName            = optional
commonName                        = optional
emailAddress                    = optional
localityName                    = optional


[ cross ]
basicConstraints                = critical,CA:true
keyUsage                        = critical,cRLSign,keyCertSign

[ codesigning ]
keyUsage                        = digitalSignature
extendedKeyUsage                = codeSigning

I'm not that good in openSSL to find out where the problem may be but as far as I could find out using google this should be OK.

In previous attempts to get it running I also tried md5 without success.

Since Michael mentioned that the server sends two combined certs I also tried to use the CA Cert on the Server which also worked fine for SSL and Code Verification but not for Client Verification.

I have never used curl (I'm a Windows Developer - eh - have been ;-) )but I will give it a try.

Additional I have another question: Doesn't ipxe resolve server addresses? "Problem" is that I'm not able to specify a URL like https://ipxe.myserver.com in the script. I have to use the IP which causes me to use the IP as CommonName in the Certs which isn't really a problem but using a machine name would be nicer. But probably this is an dnsmask configuration issue.

Thank you all for your trying to help me.

Thorsten
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
RE: Can't get Client certificates to work - Viator - 2013-03-29 09:58



User(s) browsing this thread: 1 Guest(s)