pub.security:setKeyAndChain NOT sending any client certificate for SSL handshake

hi,

i will try to make this brief

i generated my own client and server private keys with open_ssl and also self signed certificates.
so i have
1 self signed cert+private key for client
1 self signed cert+private key for server

I simulate SSL server with openssl s_server with the generated server private key – setup is to require client certificates and verify depth 1

And now it gets interesting

  1. No outbound SSL certs are setup on the Admin page,
    directories remain ‘unspecified’
    I only have the server’s self signed cert in my IS trusted certificate dir, which is set up on the same cert page

  2. using setKeyAndChain with my client certificate and private key (both in DER format) i try to connect to the localhost s_server port…
    I can see the complete handshake process and the SSL handshake fails on the s_server side because NO CLIENT CERTIFICATE IS SENT. The chain is empty!
    Could someone please try to explain why???

  3. I disable the setKeyAndChain in the flow and use https call directly. I set up the same paths which I used for setKeyAndChain in the Admin/Certificates page.
    Since its self signed, I don’t have any CA certificate.
    Result - NO client certificate sent

  4. Still disabled setKeyAndChain, I put the same client certificate also into server’s CA (same path)
    Result - WORKS! Handshake gets completed

Alas, this doesn’t solve my problem, since the ‘real’ server running tomcat rejects this kind of certificate chain/request with error -‘User trying to act as CA’

I used the s_server to see what exactly the IS sends out and it confirmed that the client certificate is never sent when using setKeyAndChain

No matter how many certificates I put in as input, in the IS SSL debug log, I get ‘No client certificate available, sending empty request’…

All certificates are correct, I could import them into IE/Firefox, verified ok with open_ssl

Please give me your thoughts on this…
IS - 7.1.1.0
Windows Server 2003
Standard Edition Service Pack 2
Oracle Express 10

//Matt

Ok, got it working - basically the certificate wasn’t as ok, as it seemed.
Eventhough neither IS nor openssl threw any errors.
I exported the certificate again from windows cert store, and converted from p12 -> pem -> der.
And for sure the private key had different size!

Now it works as it should - IS sends the certificate in the chain…

//Matt

Matt could you plz explain in detail, how u have converted from p12 to pem and then to der format…thanks in advance

hi,

i basically followed instructions from advantage:

  1. Extract private key from pkcs12 file -

$ openssl.exe pkcs12 -in c:/p12.cert -out c:/privKey.txt -nocerts
Enter the password when prompted for. This extracts the private key in PEM format.

  1. Extract the user certificate from pkcs12 file -

$ openssl.exe pkcs12 -in c:/p12.cert -out c:/cert.txt -nokeys -clcerts
This extracts the user certificate in PEM format.

  1. Extract the CA certificate(s) from the pkcs12 file -

$ openssl.exe pkcs12 -in c:/p12.cert -out c:/cacert.txt -nokeys -cacerts
This extracts the CA certificate(s) in PEM format. If you open the file, there may be more than one certificate in the file. Copy each of them into a separate file named appropriately

  1. Convert all the files created (except the privKey.txt file) into DER format -
    $ openssl.exe x509 -in c:/cert.txt -outform DER -out c:/cert.der
    $ openssl.exe x509 -in c:/ServerRootCA.txt -outform DER -out c:/ServerRootCA.der
    $ openssl.exe x509 -in c:/ServerSub-CA.txt -outform DER -out c:/ServerSub-CA.der

  2. Convert the privKey.txt file into DER format -

$ openssl.exe rsa -inform PEM -outform DER -in c:/privKey.txt -out privKey.der

Full link is here:
http://advantage.webmethods.com/article/?id=1611542160

If you get problems using the certs, try to install the p12 cert into your windows cert store (if you are on windows), click the private key to be exportable (during the import procedure), and then export those files again from the cert store directly and try convert them again.
I did this on win2003 server and could clearly see that the private key was different.
But do this only when things don’t work, try the aforementioned procedure first.

Good luck and hope it works for you

//Matt