I am trying to setup stunnel with certificate verification. I have put verify = 1 in stunnel.conf.
I generated a certificate for STunnel server and client and signed with CA (CA setup in lab) :
openssl req -out stunnel.csr -new -newkey rsa:2048 -nodes -keyout stunnel.key
scp stunnel.csr root#<CA IP Address>:/etc/pki/CA/csr/
openssl ca -extensions v3_ca -days 3650 -in csr/stunnel.csr -out certs/stunnel.pem
cat stunnel.key >> stunnel.pem
But when I use this cert I get error:
2014.05.07 17:01:56 LOG4[8343:140373923505920]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: /C=US/ST=California/O=Org/OU=OrgUnit TLM/CN=CAHost
2014.05.07 17:01:56 LOG3[8343:140373923505920]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2014.05.07 17:01:56 LOG5[8343:140373923505920]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
What is going wrong here ?
What is going wrong here ?
The error is 0x140890B2:
SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
The error string from OpenSSL is "no certificate returned".
If you supply the client certificate, then the problem will likely go away.
Related
Recently i have created self signed ssl certificates with the following commands
STEP 1: Create the server private key
openssl genrsa -out main.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key main.key -out main.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 365 -in tls.csr -signkey main.key -out main.crt
i haven't added ssl certificate info, in to my apache default file in : site-enabled config folder
but after an apache restart it took effect and i am able get https connection, but with a warning.
now i want to remove those self signed certificate. is that possible ?
i tried to revoke those certificates with this command - openssl ca -config /root/tls/openssl.cnf -revoke /certs/server-1.crt
but the above command didnt work .
i am currently very new to ssl certificate generation. any help is appreciated.
I made a tls server by below commands, which will request the client who is connecting to provide a client certificate. And I also simulated a client with the openssl commandline which will provide a client certificate. But it seems that the server didn't check if the client certificate is what exactly we want or not. Do you know how to make the server to do the check?
For the server:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -key key.pem -cert cert.pem -accept 44330 -Verify 0
For the client:
openssl req -x509 -newkey rsa:2048 -keyout clientkey.pem -out clientcert.pem -days 365 -nodes
openssl s_client -connect 127.0.0.1:44330 -cert clientcert.pem -key clientkey.pem
... check if the client certificate is what exactly we want or not
You do not specify what you want from the client certificate, that's why it cannot check it. If you want that the client certificate is signed by a specific CA use the -CAfile option as documented:
-CAfile infile
A file containing trusted certificates to use during client authentication and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested.
Thus, if you want to make sure that the client certificate is the self-signed certificate you issued (or some other certificate signed by this), use:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -Verify 0 \
-CAfile clientcert.pem
I have a root CA that was used to generate both server and client certificates in a currently working system.
It will soon reach its expiration date, and I am trying to renew it without changing any server or client certificate but I have failed so far.
To renew the CA, I have used:
openssl req -new -key ca.key -out newcsr.csr
openssl x509 -req -days 3650 -in newcsr.csr -signkey ca.key -out newca.pem
Then I have replaced my old CA certificate by newca.pem.
I expected that to be enough to have it working, but unfortunately it does not.
When trying to send a request with CuRL using my old client certificates (which are not expired), I get this error message:
curl --cert clientcrt.pem --key clientkey.pem https://myserver/
(35) Peer does not recognize and trust the CA that issued your
certificate
(the same request with the old CA does work, since it is not yet expired)
What are the steps that I missed?
Or do you have any clue of causes of error that I may look for?
If it can be useful to anyone, I finally resolved this problem by setting the serial of my new CA to the same value than the serial of the old CA:
openssl req -new -x509 -days 3650 -key ca.key -set_serial <oldserial> -out newca.pem
With that my client certificates are successfully validated by my CA.
I am creating a test network using raspberry pis. My computer will be the CA and my pi zero W the client. I have created a self-signed CA certificate on my computer, certificate request on the pi, and signed the request with the CA keys on my computer.
When I verify the certificate on the pi, I get an error. There is no error on my computer with the same command and same files
Error on raspberry pi:
$ openssl verify -verbose -CAfile ca.pem pi.pem
error 18 at 0 depth lookup: self signed certificate
error cert.pem: verification failed
# ca.pem is the ca self-signed cert. pi.pem is the cert signed by ca private key
using the SAME files on my computer:
$ openssl verify -verbose -CAfile ca.pem pi.pem
error cert.pem: verification failed
error 18 at 0 depth lookup: self signed certificate
OK
# ca.pem is the ca self-signed cert. pi.pem is the cert signed by ca private key
What I have tried so far
reinstall openssl on pi
replace openssl.cnf file with the one on the pi with the one on my computer
changed time on raspberry pi
switched roles: pi as CA and computer as client. This led to verification working on computer but not pi (as before)
raspbian version is stretch not sun
tried self signed certificate verification. Verify works on computer and pi.
The process for creating the certificates:
# Server: https://support.symantec.com/en_US/article.TECH242030.html
openssl req -new -sha256 -out cert.csr
openssl x509 -req -days 365 -in cert.csr -signkey privkey.pem -sha256 -out cert.crt
openssl x509 -in cert.crt -out ca.pem -outform PEM
# Client:
openssl req -new -sha256 -out pi.csr
openssl x509 -req -days 365 -in pi.csr -signkey privkey.pem -sha256 -out pi.crt # <--- privkey.pem is the privkey of CA
openssl x509 -in pi.crt -out pi.pem -outform PEM
You need some kind of configuration file for your CA certificate, otherwise it will use basicConstraints=CA:FALSE which means that it creates a self signed leaf certificate rather than a CA certificate. In other words, your certificate is trusted but not for signing other certificates.
See e.g. here how to create a chain.
https://gist.github.com/Soarez/9688998
Note that you also need to use e.g. -CA and -CAkey so please do not use your own commands and just a config file.
I am hosting a nginx webserver in my LAN and I want to authenticate client who are accessing my server with ssl client certificate.I generated a self signed SSL certificate and one client certificate following some documents on google. But I am unable to authenticate client who has certificate. I am getting the following errors
When requested from Firefox:
2017/08/10 18:30:13 [info] 8994#0: *4 client sent no required SSL certificate while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls1/master.m3u8 HTTP/1.1", host: "192.168.26.43"
When request using curl:
curl -v -s -k --key client.key --cert client.crt --cacert ca.crt https://192.168.26.43/hls2/master.m3u8
2017/08/10 18:30:33 [info] 8994#0: *5 client SSL certificate verify error: (18:self signed certificate) while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls2/master.m3u8 HTTP/1.1", host: "192.168.26.43"
So,my question is can I use self-signed certificate to authenticate client?If so, can anyone provide the steps to achieve this?
I just stumbled over this and discovered a small pitfall which caused the same error you encountered:
error 18 at 0 depth lookup: self signed certificate
There are plenty of guides how to create a self signed client certificate, I used the following (adapted from here):
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
# Convert to .p12 so import in OSX works
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12 -name "MyKey"
However, if you use the same Organization Name (eg, company) for both your ca and your client certificate, you will see above error! (edited: important)
If openssl verify -verbose -CAfile ca.crt client.crt does not complain about a self-signed certificate, you're good to go.
The server has to trust the client certificate. In the case of a self-signed certificate, that means the certificate has to be exported from the client's keystore and imported into the server's truststore.
When the server asks for the client certificate, it also sends a list of trusted signers, and the client is only allowed to send a certificate which is ultimately signed by one of those signers. As the server didn't know about the self-signed client certificate, it didn't include that as a trusted signer, so the client was unable to send its certificate. Hence client sent no required SSL certificate while reading client request headers.