SSL Certificate – Troubleshoot Client Side Authentication Failure

certificatesslssl-certificate

I'm trying to put the finishing bits and pieces on a client / server application I'm writing, but something seems to go foul at the last step in the SSL handshake.

The client side of the program connects and establishes a secure connection with a server without a hitch, but if I want to run operations from the server side of the program, it fails to make any connection.

When I try to connect to my server via Firefox (as the client), the browser will alert to me that the certificate is not suitable for the connection.

On the server side, my logs reflect that there's an unknown ca or certificate unkown whenever I try to accept bytes from my client.

I guess my question boils down to this point:

Do you have to make different certificates for a client side application vs a server side application? What's the difference between these?

Best Answer

The same way that server certificates uniquely identify a server (or domain), client certificates uniquely identify a client. And just like server certificates must be signed by someone the client trusts, client certificates must be signed by someone the server trusts.

Usually, when you configure a server to accept client certificates, you specify a signing certificate that must be used to sign the client's cert. This lets the server know that the client is "authorized", whatever that might mean in your context, since presumably you'll only sign certificates for "authorized" users.

Allowing client certificates without doing any sort of verification is generally possible with most servers, but sort of defeats the whole purpose.

Related Solutions

Apache – Client-Side Certificates on Linux with OpenSSL

Could be that you are using client certs with the wrong key usage. Please verify that your key usage has:

Critical
Signing
Non-repudiation
Key Encipherment

If you are using extended key usage, check for

Not Critical
TLS Web Client Authentication
E-mail protection

On the server side verify that you have all the ca cert that was used to sign the client cert and the relevant pki hierarchy is set up. In a typical apache setup, this would look like:

<VirtualHost *:443>
    ServerAdmin admin@example.net                                                                                      
    DocumentRoot /var/www/
    ServerName service.example.net
    ScriptAlias /cgi-bin/ /var/www/cgi-bin/
    <Directory "/var/www/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

    <Directory "/var/www/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
    </Directory>

    SSLEngine on
    SSLOptions +StdEnvVars
    SSLCertificateFile    /usr/local/ssl/certs/Server.crt
    SSLCertificateKeyFile /usr/local/ssl/private/Server.key
    SSLCACertificateFile  /usr/local/ssl/certs/caRoot.cacert.pem
    SSLVerifyClient require
    ErrorLog logs/service.example.net-443-error_log
    LogLevel info
    CustomLog logs/service.example.net-443-access.log combined

Finally, you can try debug with good old openssl

openssl s_client -connect server.example.net:443 -CAfile ../ca/caRoot.crt -cert client-Access.crt -key client-Access.key  -showcerts

or curl

curl -kv --key client-Access.key --cert client-Access.crt --cacert ../ca/caRoot.crt  https://server.example.net/

Good luck!

Configuring client certificate authentication in apache

The underlying problem here is the renegotiation refusal. This stems from activity over the last year or two to fix a TLS vulnerability, and there were various interim fixes of refusing to renegotiate until a new TLS extension was implemented. So one thing you need to do is ensure your SSL (OpenSSL) and possibly therefore your Apache HTTPD as well is/are as up to date as possible.

Best Answer

Related Solutions

Apache – Client-Side Certificates on Linux with OpenSSL

Configuring client certificate authentication in apache

Related Topic