Simon Josefsson schrieb:
> Friedrich Delgado Friedrichs <[email protected]> writes:
> I suspect your key file is encrypted. The key file should contain a
> header like this:
Sure, and it's encrypted.
> Does it? If not, try adding '-nodes' to your 'openssl pkcs12' command
> line, and retry the gnutls-cli command.
I did that, and re-tried the gnutls-cli line, with a different result:
,----
Processed 3 CA certificate(s).
Processed 3 client certificates...
Processed 3 client X.509 certificates...
Resolving 'intern.organisation.org'...
Connecting to 'NNN.NNN.NN.NNN:443'...
*** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed
GNUTLS ERROR: Key usage violation in certificate has been detected.
`----
Looks like I can reproduce the problem with gnutls-cli.
> > Or can I convert the pkcs12 file with gnutls, in case there's some
> > problem with the converted file from openssl?
> Try 'certtool --p12-info'
certtool -d 4711 --inraw --p12-info --infile organisation-user.p12
actually seems to work, however if I to use the result, I get
the following output with the gnutls-cli command:
,----
Processed 3 client certificates...
*** Error loading key file: Base64 unexpected header error.
`----
> The bits looks fine (both digital signature and key encipherment),
> although the Key Usage extension itself SHOULD be marked critical
> according to the specifications.
> Maybe the problem is with the key usage bits in some other certificate
> in the chain. Can you post the same info for the other certs too?
---Zitatende---
Ok, all the certificates in the CA chain have the following usage bits:
Certificate signing.
CRL signing.
in particular
,----
> certtool -i < organisation-user-ca.pem|grep -A 2 -i 'key usage'
Key Usage (not critical):
Certificate signing.
CRL signing.
--
Key Usage (not critical):
Certificate signing.
CRL signing.
--
Key Usage (critical):
Certificate signing.
CRL signing.
--
Key Usage (critical):
Certificate signing.
CRL signing.
--
Key Usage (critical):
Certificate signing.
CRL signing.
--
Key Usage (not critical):
Certificate signing.
CRL signing.
--
Key Usage (critical):
Certificate signing.
CRL signing.
--
Key Usage (not critical):
Certificate signing.
CRL signing.
`----
I don't know if it is remarkable that some have "critical" and some
"not critical".
Then there's an additional server CA, accredited by the same chain of
root cas (I think...):
,----
Key Usage (not critical):
Certificate signing.
CRL signing.
`----
Ok, this goes bit beyond my knowledge now, if you have any particular
questions about the pki involved here, that can't be resolved with
command line tools, I'd have to ask a colleague about this. I *think*
I picked the right server CA certificate to check, I'm sure the CA
chain from my client certificate is the one I use.
Kind regards
Friedel
--
Friedrich Delgado Friedrichs <[email protected]>
TauPan on Ircnet and Freenode ;)
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
