Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Chained Client Certificates

Tags:

certificate

openssl

client

chained

I would like to use SSL client certificates to authenticate users connecting to tomcat6/7. I’ve got tomcat configured correctly, and certificates I sign with the cert in the truststore I gave to tomcat are authenticating successfully from both IE and Firefox.

I would also like to chain client certificates, because I want to give customers the ability to manage their own users. I could accomplish this by issuing a customer an itermediate management CA certificate that they would use to sign additional user certs. I would need the user’s browser to send the user certificate, chained with the management CA (signed by my root certificate) to authenticate.

I am using openssl, and I have created a root CA and an intermediate CA, and I have used the intermediate CA to sign a leaf certificate. I have converted all three certificates to pkcs12 and pem, and used keytool to import the root certificate into a truststore for tomcat. openssl –verify will verify the leaf pkcs12 against the intermediate certificate (and intermediate verifies against root). But I cannot get the leaf certificate (pkcs12) to verify against the root certificate (pkcs12). I also cannot get either IE or Firefox to authenticate using the leaf certificate. IE will prompt me for the certificate, but fails to authenticate (there is no mention of the connection or failure in tomcat’s log). Firefox does not prompt for the leaf certificate; it simply fails to authenticate.

Here is how I try to verify the leaf against the root using openssl:

openssl verify -CAfile ..\root\Root.pem Leaf.pem

Here are the scripts I am using to generate the three certificates:
root.bat:

set name=Root
set keyPassword=dummypassword
set trustPassword=dummypassword
openssl genrsa -des3 -passout pass:%keyPassword% -out %name%.key 4096
openssl req -new -key %name%.key -passin pass:%keyPassword% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -signkey %name%.key -passin pass:%keyPassword% -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%keyPassword% -passout pass:%keyPassword% -out %name%.pkcs12
keytool -noprompt -import -file %name%.crt -alias %name% -keystore %name%.truststore -deststorepass %trustPassword%
keytool -list -v -keystore %name%.truststore -storepass %trustPassword% > %name%.truststore.dump.txt
keytool -exportcert -alias %name% -keystore %name%.truststore -storetype jks -storepass %trustPassword% -rfc -file %name%.truststore.pem
openssl pkcs12 -in %name%.pkcs12     -out %name%.pem     -nodes -passin pass:%keyPassword%

intermediate.bat:

set name=Intermediate
set password=dummypassword
set caDir=../root
set caName=Root
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.crt -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12     -out %name%.pem     -nodes -passin pass:%password%

leaf.bat:

set name=Leaf
set password=dummypassword
set caDir=../intermediate
set caName=Intermediate
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.pem -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12     -out %name%.pem     -nodes -passin pass:%password%

GenerateCertificate.cfg:

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true,pathlen:3
like image 643
user1703874 Avatar asked Sep 27 '12 16:09

user1703874

1 Answers

The problem was that the root and intermediate certificates were not created as CA certificates.

To create them as CA certificates, I added

-extfile GenerateCertificate.cfg -extensions v3_ca

to their creation scripts, and added the GenerateCertificate.cfg file to my working directories (which contained the cert creation batch files).

I have editted my original post to reflect these changes.

like image 165
user1703874 Avatar answered Sep 30 '22 06:09

user1703874
Sign in to Comment

Related questions

Sign on OS X, Verify on iOS and OSStatus -9809
SSL Certificate add failed, Error: 1312
Why do I get an OpenSSL error when trying to connect to Apple Push Notification Service?
PHP verify failed with LetsEncrypt
Decrypt with the public key using openssl in commandline
Using OpenSSL in Delphi webservice - available protocols and ciphers
Create x509 certificate with openssl/makecert tool
Convert a .PEM certificate to .PFX programmatically using OpenSSL
https: Apache TLS renegotiation: Debian, Apache2, openssl. How to?
OpenSSL generate and sign certificate with custom subject fields
Compute AES128 CMAC with openssl as command line
openssl command line to cipher RC4, not expected result, don't understand
export chain with openssl_pkcs12_export in PHP
How to list certificates, trusted by OpenSSL?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!