Hi!
Simon Josefsson schrieb:
> Friedrich Delgado Friedrichs <[email protected]> writes:
> > I was lazy and gave the same file as x509 cert, ca and keyfile. The
> > important difference is that gnutls-cli does not like it if the key is
> > in the same file as the cert.
> I don't think so -- the problem is more likely to be that you are
> telling gnutls-cli to use the CA cert as the client cert.
Interesting.
> I suspect the organisation-user.pem file still contains more than the
> client certificate.
>
> You need to put the client certificate _first_ in the --x509certfile
> file, and any (optional) sub-CA certs after the client cert.
Ok, if I edit the .pem file (which indeed contains first the key, then
two CA certs and then my personal cert) and order the certificates as
follows:
1. my key
2. my cert
3. and 4. the ca certs
It works and I get no key usage violation error with the following
command line:
,----
gnutls-cli --print-cert --verbose -p 4711 --x509certfile
/home/user/secret/organisation-user.pem -p 443 intern.organisation.org
--x509keyfile /home/user/secret/organisation-user.pem
`----
Some last questions:
1. where is this documented? It seems I overlooked that the order of
certificates in the pem file is significant, and openssl as well as
certtool put it in the order key, ca, ca, user cert invariably.
Apparently I need to give -clcerts to the pkcs12 command to get
the correct order.
2. If I convert the p12 to pem with certtool, as you proposed, I get
an unusable key. Splitting it off doesn't help, I invariably get a
base64 decoding error. The only thing that works with
3. How can I get an *encrypted* key in pem format for use with
gnutls, generated from the p12 structure?
> That is a subversion or neon question, and I don't know the answer.
> GnuTLS provides interfaces for using PKCS#12 files, subversion/neon just
> have to use them (if it doesn't already).
---Zitatende---
So it looks like subversion or neon doesn't handle pkcs12 files correctly?
--
Friedrich Delgado Friedrichs <[email protected]>
TauPan on Ircnet and Freenode ;)
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
