Is it possible to use haproxy to add a ssl client certificate before sending requests to the backend server ?
Use case:
App1 -> haproxyOut -> internet -> haproxyIn -> App2
Is haproxyOut able to add client certificate that could be validate by haproxyIn ?
I'd like haproxyOut to initiate the ssl connection with a client certificate and haproxyIn to terminate the ssl connection
Thanks
I guess I found a solution:
I just have to add the pem file of the client certificate on the server line of the backend of haproxyOut.
The doc say (backend server section):
crt
It designates a PEM file from which to load both a certificate and the
associated private key. This file can be built by concatenating both PEM
files into one. This certificate will be sent if the server send a client
certificate request.
Related
I can't connect with my Tableau Server from Tableau Desktop because it shows me that error: SSL certificate is not valid. I'm searching for a solution, but I'm only reading how to change the certificate with another, beacause I do not have any other certificate.
My question goes before that: how can I get a certificate? where I can get it from?
This is the guide from Tableau I use whenever I need to setup SSL for my servers. It includes obtaining an SSL Certificate from a certificate authority Steps for SSL Cert
To configure Tableau Server to use SSL, you must have an SSL certificate. To obtain the SSL certificate, complete the steps:
Set the OpenSSL configuration environment variable (optional)
Generate a key file
Create a Certificate Signing Request (CSR)
Send the CSR to a certificate authority (CA) to obtain an SSL certificate
Use the key and certificate to configure Tableau Server to use SSL
I secure successfully a Nifi Node (localhost) with SSL but I have always a yellow padlock in my browser as you can see in the pic here
Do you have any idea?
Thanks
If you used an untrusted certificate then this is expected behavior. You would have to purchase a real certificate for a real domain name in order for the browser to not warn you.
I see the description below:
Standalone : generates the certificate authority, keystores, truststores, and nifi.properties files in one command
Client/Server mode : uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the other’s identity through a shared secret.
Standalone and client, both generate the certificate authority, keystores, truststores.
Sorry, I don't see the difference.
I made HTTP proxy server. But the problem that I can't decrypt SSL traffic.
I found that Fiddler install Trust Root Certificate. I did the same and now I don't have error that certificate untrusted but I got other error: wrong Common Name (CN). How fiddler change the CN of installed trusted certificate?
Will appreciate any answer.
Fiddler acts as an SSL termination proxy.
I.e. the connection goes like this:
Browser ---(SSL handshake)---> Fiddler --- (SSL handshake) ---> Actual Site
So your connection is first time encrypted and sent to Fiddler, where it is first decrypted by Fiddler and then again encrypted to be sent to the actual site that you access.
Additionally when you access a site Fiddler automatically generates a server certificate with a CN that is equal to the host name of the site and this certificate is signed by the CA of fiddler That's why Fiddler needs to install a set of trusted CAs in your browser so that the first SSL handshake can be made against a trusted authority.
I'm trying to create web application with client certificates, generated programmatically. My main problem is following: I've added generated .p12 keystore to my web browser, but it doesn't send certificate to the server.
How does browser understand which x509 certificate it should use? And is it possible to debug SSL in Chrome of Firefox?
SSL/TLS server sends Certificate Request message (see RFC 4346 for TLS 1.1 or others). In this message there is only certificate type and acceptable certificate authorities names, so server doesn't tell anything about particular certificate.
The possible reason is that your certificate of invalid type (i.e. DSA instead of RSA but key exchange algorithm depends on client RSA certificate), or server requests certificate of different certificate authority.
I have a new SSL certificate to install (IIS7) but when I do complete certificate request I get 'Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where the request was created'. The request was generated on 123-reg and not on the server. I have a .pem and public and private keys from 123-reg but I don't know what to do with them to get them installed on the server so I can complete the request!
Can anyone point me in the right direction please :)
When you create a certificate request you also get a CSR file with the request which is sent to the certification authority.
Read this post for a full explanation of all files involved in the certification process.
In your case it seems that the server is complaining maybe because your domain does not match the input you provided the certificate request. Maybe your CSR is configured for mydomain.com but IIS is configured for somthing like localhost or an IP. Check that out.