Pesquisar no apoio

Evite burlas no apoio. Nunca iremos solicitar que telefone ou envie uma mensagem de texto para um número de telefone ou que partilhe informações pessoais. Por favor, reporte atividades suspeitas utilizando a opção "Reportar abuso".

Saber mais

Import client certificate for website with selfsigned ssl certificate

  • 1 resposta
  • 8 têm este problema
  • 9 visualizações
  • Última resposta por n'Arno

more options

Hi,

I'm building a simple web tool box and i use a self-signed certificate for HTTP SSL encryption.

Furthermore, I'll use client certificate for authentication.

If i add an exception for the website, i can't later on install my client certificate (error message: the PKCS #12 operation failed for unknown reasons).

If i first add the client certificate, i can't then access the website to add an exception: sec_error_reused_issuer_and_serial

Even if i first add the my CA, it doesn't help.

Please find below the method i used to create my certificates:

  1. !/bin/bash

set -e

  1. Create the CA Key and Certificate for signing Client Certs

openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

  1. Create the Server Key, CSR, and Certificate

openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr

  1. We're self signing our own server cert here. This is a no-no in production.

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

  1. Create the Client Key and CSR

openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr

  1. Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.

openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

  1. Build client PKCS12

openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx

Best Regards,

Hi, I'm building a simple web tool box and i use a self-signed certificate for HTTP SSL encryption. Furthermore, I'll use client certificate for authentication. If i add an exception for the website, i can't later on install my client certificate (error message: the PKCS #12 operation failed for unknown reasons). If i first add the client certificate, i can't then access the website to add an exception: sec_error_reused_issuer_and_serial Even if i first add the my CA, it doesn't help. Please find below the method i used to create my certificates: #!/bin/bash set -e # Create the CA Key and Certificate for signing Client Certs openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # Create the Server Key, CSR, and Certificate openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr # We're self signing our own server cert here. This is a no-no in production. openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt # Create the Client Key and CSR openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr # Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do. openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt #Build client PKCS12 openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx Best Regards,

Modificado por n'Arno a

Todas as respostas (1)

more options

In the end, i used a StartSSL free certificate for the server and my own CA for the client BUT using 2 different values for set_serial should do the trick.