Import client certificate for website with selfsigned ssl certificate
Hi,
I'm building a simple web tool box and i use a self-signed certificate for HTTP SSL encryption.
Furthermore, I'll use client certificate for authentication.
If i add an exception for the website, i can't later on install my client certificate (error message: the PKCS #12 operation failed for unknown reasons).
If i first add the client certificate, i can't then access the website to add an exception: sec_error_reused_issuer_and_serial
Even if i first add the my CA, it doesn't help.
Please find below the method i used to create my certificates:
- !/bin/bash
set -e
- Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
- Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr
- We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
- Create the Client Key and CSR
openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr
- Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
- Build client PKCS12
openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx
Best Regards,
Wot n'Arno
Wšě wotmołwy (1)
In the end, i used a StartSSL free certificate for the server and my own CA for the client BUT using 2 different values for set_serial should do the trick.