- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- openssl - server and client certificates
Operating System - HP-UX
1751952
Members
4885
Online
108783
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 08:39 AM
тАО06-29-2007 08:39 AM
Has anyone worked with client side ssl certificates for an apache web instance?
If so, what am I doing wrong here? I create the CA, then the server csr and sign it. Then create the client certs export them to a pkcs#12 format for my MSIE 6.0 testing.
Any and all help is much appreciated.
Here are the steps I take:
# - gen CA (certificate authority - like ViriSign) for all certs
openssl genrsa -des3 -out my-ca.key 2048
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
openssl x509 -in my-ca.crt -text -noout
# - gen cert for apache server
openssl genrsa -des3 -out jims-server.key 2048
openssl req -new -key jims-server.key -out jims-server.csr
openssl x509 -req -in jims-server.csr -out jims-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365
openssl x509 -in jims-server.crt -text -noout
#
# - gen client side cert and sign with CA
openssl genrsa -des3 -out jim-c.key 2048
openssl req -new -key jim-c.key -out jim-c.csr
openssl x509 -req -in jim-c.csr -out jim-c.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365
openssl pkcs12 -export -in jim-c.crt -inkey jim-c.key -name "Test Site" -out jim-c.p12
openssl pkcs12 -in jim-c.p12 -clcerts -nokeys -info
If so, what am I doing wrong here? I create the CA, then the server csr and sign it. Then create the client certs export them to a pkcs#12 format for my MSIE 6.0 testing.
Any and all help is much appreciated.
Here are the steps I take:
# - gen CA (certificate authority - like ViriSign) for all certs
openssl genrsa -des3 -out my-ca.key 2048
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
openssl x509 -in my-ca.crt -text -noout
# - gen cert for apache server
openssl genrsa -des3 -out jims-server.key 2048
openssl req -new -key jims-server.key -out jims-server.csr
openssl x509 -req -in jims-server.csr -out jims-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365
openssl x509 -in jims-server.crt -text -noout
#
# - gen client side cert and sign with CA
openssl genrsa -des3 -out jim-c.key 2048
openssl req -new -key jim-c.key -out jim-c.csr
openssl x509 -req -in jim-c.csr -out jim-c.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365
openssl pkcs12 -export -in jim-c.crt -inkey jim-c.key -name "Test Site" -out jim-c.p12
openssl pkcs12 -in jim-c.p12 -clcerts -nokeys -info
Solved! Go to Solution.
- Tags:
- certificate
- OpenSSL
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-02-2007 03:12 AM
тАО07-02-2007 03:12 AM
Re: openssl - server and client certificates
Tell me no one has worked with this before?
Does anyone have any suggestions?
Does anyone have any suggestions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-02-2007 04:19 AM
тАО07-02-2007 04:19 AM
Re: openssl - server and client certificates
Shalom,
I've done it.
Your generation script looks reasonable.
Where are you placing it after you generate it?
What is the configuration of your ssl.conf file?
Are there entries on the access_log error_log log files?
SEP
I've done it.
Your generation script looks reasonable.
Where are you placing it after you generate it?
What is the configuration of your ssl.conf file?
Are there entries on the access_log error_log log files?
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-02-2007 04:40 AM
тАО07-02-2007 04:40 AM
Re: openssl - server and client certificates
Hey SEP,
Thanks for repling.
This is the ssl.conf VHOST
-----------------------------------------
DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common
DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml
DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1
. . . etc.
-------------------------------------------
I can import the PKCS12 just fine into MSIE but see these messages when I try to access it.
[Fri Jun 29 14:50:06 2007] [error] Certificate Verification: [127.0.0.1] Error (self signed certificate) Subject: /C=US/ST=PA/L=Horsham/O=NCO/CN=jims-test-site
[Fri Jun 29 14:50:06 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:03 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:35 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
IS it that my /urs/local/openssl/openssl.cfg isn't configured with specific information about the CA or certs?
I'm just guessing here . . .
Thanks again for any help you might provide.
Thanks for repling.
This is the ssl.conf VHOST
-----------------------------------------
DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common
DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml
DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1
. . . etc.
-------------------------------------------
I can import the PKCS12 just fine into MSIE but see these messages when I try to access it.
[Fri Jun 29 14:50:06 2007] [error] Certificate Verification: [127.0.0.1] Error (self signed certificate) Subject: /C=US/ST=PA/L=Horsham/O=NCO/CN=jims-test-site
[Fri Jun 29 14:50:06 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:03 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:35 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
IS it that my /urs/local/openssl/openssl.cfg isn't configured with specific information about the CA or certs?
I'm just guessing here . . .
Thanks again for any help you might provide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-02-2007 08:50 AM
тАО07-02-2007 08:50 AM
Re: openssl - server and client certificates
I don't see anything in your Apache configuration telling it where to find the CA certificate for validating the client cert. Do you have a SSLCACertificateFile directive pointing at your CA certificate?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-02-2007 08:59 AM
тАО07-02-2007 08:59 AM
Re: openssl - server and client certificates
Sorry about that. . .
SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
most of the conf within the virtual host section is commented out. I didn't want to post things of non-relevance.
Here's the entire vhost in the ssl.conf though:
DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common
DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml
DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1
#
#
#
# General setup for the virtual host
#DocumentRoot "/opt/hpws/apache/htdocs"
#ServerName corux28:443
#ServerAdmin www@corux28
#ErrorLog /opt/hpws/apache/logs/error_log
#TransferLog /opt/hpws/apache/logs/access_log
#SSLEngine on
#SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
#SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
#SSLCACertificatePath /opt/hpws/apache/conf/ssl.crt
#SSLCACertificateFile /opt/hpws/apache/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /opt/hpws/apache/conf/ssl.crl
#SSLCARevocationFile /opt/hpws/apache/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
most of the conf within the virtual host section is commented out. I didn't want to post things of non-relevance.
Here's the entire vhost in the ssl.conf though:
DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common
DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml
DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1
#
#
#
# General setup for the virtual host
#DocumentRoot "/opt/hpws/apache/htdocs"
#ServerName corux28:443
#ServerAdmin www@corux28
#ErrorLog /opt/hpws/apache/logs/error_log
#TransferLog /opt/hpws/apache/logs/access_log
#SSLEngine on
#SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
#SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
#SSLCACertificatePath /opt/hpws/apache/conf/ssl.crt
#SSLCACertificateFile /opt/hpws/apache/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /opt/hpws/apache/conf/ssl.crl
#SSLCARevocationFile /opt/hpws/apache/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-02-2007 11:20 AM
тАО07-02-2007 11:20 AM
Solution
SSLCertificateChainFile is the CA chain for the server certificate. It is not used to validate client certificates.
SSLCertificateKeyFile should be the private key for your server certificate. You probably don't want that in the same file as your CA chain, but I suppose it probably can work that way.
I still don't see a SSLCACertificateFile directive. Assuming that you are using some Apache 2.0 version, you need to set this directive to point to the CA certificate that signed your clients.
The Apache web site has a document describing how to configure client authentication. Take a look at http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol and see if you've got everything.
SSLCertificateKeyFile should be the private key for your server certificate. You probably don't want that in the same file as your CA chain, but I suppose it probably can work that way.
I still don't see a SSLCACertificateFile directive. Assuming that you are using some Apache 2.0 version, you need to set this directive to point to the CA certificate that signed your clients.
The Apache web site has a document describing how to configure client authentication. Take a look at http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol and see if you've got everything.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-03-2007 04:31 AM
тАО07-03-2007 04:31 AM
Re: openssl - server and client certificates
Gettnig closer . . .
I can connet now but I get this message in the error log file for this v-host.
# tail ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
I confirmed that if I remove the client side cert from my MSIE it fails to display the page. Like wise, when I import the cert I can get to the page.
But all the while I get these messages in the log file for the v-host.
# cat ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:38 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:42 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:58 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
I can connet now but I get this message in the error log file for this v-host.
# tail ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
I confirmed that if I remove the client side cert from my MSIE it fails to display the page. Like wise, when I import the cert I can get to the page.
But all the while I get these messages in the log file for the v-host.
# cat ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:38 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:42 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:58 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP