> From: owner-openssl-us...@openssl.org On Behalf Of DRings > Sent: Tuesday, 05 June, 2012 13:15
> I have a restricted community application that seems a > perfect fit for using > openssl to self-generate our own CA, and self-sign it, and > self-generate our > own web client authentication certificate and self-sign them. > All this so > that we can validate the Distinguished Name presented when web browser > connecting to our nginx web server. > If you use your own CA to issue/sign client certs, the client certs are not self-signed; they are signed by your CA. The CA root is self-signed. > I have done all this many times but have not been able to get > various web > browsers to use the self-generated/self-signed client > authentication certs. > > I have imported both the CA.crt and the client.crt into the > OS certificate > store. But after that the web browser does not seem to use > the cert for > authentication. > What is in client.crt? If it's just the certificate, as the extension would indicate, that's wrong. The client (in general the authenticating party) needs a certificate AND KEY (more exactly a privatekey or keypair which includes the privatekey). You don't say what your OS (or tool) is, but one common way of transporting a cert and key together is a PKCS#12 file, usually with extension .p12 or .pfx. There are other ways. The other approach, which is usually considered better practice but can be more work, is to generate the keypair and CSR ON THE CLIENT, move the CSR to the CA which issues a cert, and move the cert back to the client and attach it to the keypair (may be called import or something else like update). The clients I use don't need the CA cert to verify themself, but yours might. The server (system and/or app) definitely does need your CA.crt to verify the clients. > I've tried to set the properties on the imported certificate > to be used for > "web client authentication". - it just does not work! > > I just cannot keep spending time on this problem. If I cannot > find help, I > will urge the the requirement for client certs be dropped > from the project. > > (personal lore) It seems that the web browsers fail because our > self-generated/self-signed CA is not signed by some higher CA that is > trusted. Is that true or false? > See above. If the SERVER also uses a cert signed by your CA, then the clients definitely do need the CA cert to verify the server. > If it is false, I need help to overcome the failure of the > web browsers to > correctly use our certs. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
