- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- openssl - server and client certificates
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2007 08:39 AM
06-29-2007 08:39 AM
If so, what am I doing wrong here? I create the CA, then the server csr and sign it. Then create the client certs export them to a pkcs#12 format for my MSIE 6.0 testing.
Any and all help is much appreciated.
Here are the steps I take:
# - gen CA (certificate authority - like ViriSign) for all certs
openssl genrsa -des3 -out my-ca.key 2048
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
openssl x509 -in my-ca.crt -text -noout
# - gen cert for apache server
openssl genrsa -des3 -out jims-server.key 2048
openssl req -new -key jims-server.key -out jims-server.csr
openssl x509 -req -in jims-server.csr -out jims-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365
openssl x509 -in jims-server.crt -text -noout
#
# - gen client side cert and sign with CA
openssl genrsa -des3 -out jim-c.key 2048
openssl req -new -key jim-c.key -out jim-c.csr
openssl x509 -req -in jim-c.csr -out jim-c.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365
openssl pkcs12 -export -in jim-c.crt -inkey jim-c.key -name "Test Site" -out jim-c.p12
openssl pkcs12 -in jim-c.p12 -clcerts -nokeys -info
Solved! Go to Solution.
- Tags:
- certificate
- OpenSSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2007 03:12 AM
07-02-2007 03:12 AM
Re: openssl - server and client certificates
Does anyone have any suggestions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2007 04:19 AM
07-02-2007 04:19 AM
Re: openssl - server and client certificates
I've done it.
Your generation script looks reasonable.
Where are you placing it after you generate it?
What is the configuration of your ssl.conf file?
Are there entries on the access_log error_log log files?
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2007 04:40 AM
07-02-2007 04:40 AM
Re: openssl - server and client certificates
Thanks for repling.
This is the ssl.conf VHOST
-----------------------------------------
DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common
DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml
DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1
. . . etc.
-------------------------------------------
I can import the PKCS12 just fine into MSIE but see these messages when I try to access it.
[Fri Jun 29 14:50:06 2007] [error] Certificate Verification: [127.0.0.1] Error (self signed certificate) Subject: /C=US/ST=PA/L=Horsham/O=NCO/CN=jims-test-site
[Fri Jun 29 14:50:06 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:03 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:35 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
IS it that my /urs/local/openssl/openssl.cfg isn't configured with specific information about the CA or certs?
I'm just guessing here . . .
Thanks again for any help you might provide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2007 08:50 AM
07-02-2007 08:50 AM
Re: openssl - server and client certificates
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2007 08:59 AM
07-02-2007 08:59 AM
Re: openssl - server and client certificates
SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
most of the conf within the virtual host section is commented out. I didn't want to post things of non-relevance.
Here's the entire vhost in the ssl.conf though:
DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common
DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml
DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1
#
#
#
# General setup for the virtual host
#DocumentRoot "/opt/hpws/apache/htdocs"
#ServerName corux28:443
#ServerAdmin www@corux28
#ErrorLog /opt/hpws/apache/logs/error_log
#TransferLog /opt/hpws/apache/logs/access_log
#SSLEngine on
#SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
#SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
#SSLCACertificatePath /opt/hpws/apache/conf/ssl.crt
#SSLCACertificateFile /opt/hpws/apache/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /opt/hpws/apache/conf/ssl.crl
#SSLCARevocationFile /opt/hpws/apache/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2007 11:20 AM
07-02-2007 11:20 AM
SolutionSSLCertificateKeyFile should be the private key for your server certificate. You probably don't want that in the same file as your CA chain, but I suppose it probably can work that way.
I still don't see a SSLCACertificateFile directive. Assuming that you are using some Apache 2.0 version, you need to set this directive to point to the CA certificate that signed your clients.
The Apache web site has a document describing how to configure client authentication. Take a look at http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol and see if you've got everything.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2007 04:31 AM
07-03-2007 04:31 AM
Re: openssl - server and client certificates
I can connet now but I get this message in the error log file for this v-host.
# tail ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
I confirmed that if I remove the client side cert from my MSIE it fails to display the page. Like wise, when I import the cert I can get to the page.
But all the while I get these messages in the log file for the v-host.
# cat ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:38 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:42 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:58 2007] [error] Re-negotiation handshake failed: Not accepted by client!?