Getting mozilla to send it's client cert?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hello Newsgroup,

Say, I was wondering... how does one configure apache/mozilla in such
a way that the clients DN (and any other certificate details) are sent
in the connection?

Here's what I have in the apache conf file:

SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth

That creates the environment variable:

    ** NONE ??
    (other SSL_ variables??)

    ** blank ?!

And many other SSL_ variables.. What I want to do is, use the clients DN
stuff to authenticate.

I tried (in the apache.conf):

     SSLVerifyClient require

But all that happened was a browser error.

In actuality, no web browser will ever connect to this host, it's all to
be done with LWP, but I'd like my test browser to send it's cert. details
so I can see what's going on (and as such, figure out how to get LWP to
send /it's/ certificate stuff)

I'm planning on using it to authenticate an automated process, and want to
confirm the clients cert was indeed signed by me and get it's client ID (sort
of like a username) so that the application knows which sets of data to
operate on.

Kinda like passwords, but w/out someone there to actually enter them.

I presume I'll need to import a cert into mozilla some how (like I did
with my fake CA) but.. I also need to tell it to present this particular
certificate whenever I connect to a specific host.

Make sense?

Can it be done?

LWP side.. I want the connection to flat out fail if the CA isn't mine, but
that'll be next week...

I am /NOT/ an openssl expert.. man, what a confusing convoluted process!


-- Custom web programming
Perl * Java * UNIX                        User Management Solutions

Re: Getting mozilla to send it's client cert? (Jamie) mentions:
Quoted text here. Click to load it

Nevermind, found the answer. For anyone interested here's a summary:

# Create private key.

openssl genrsa -out file.key 2048

# make_csr (in my case, a shell function, but basically..

 openssl req  -new -key file.key -out file.csr

# sign it with your CA. In my case, a shell function, but, something like this:
# (you have to create your own CA and stuff before doing this)

    openssl ca -days $DAYS -policy policy_anything -out file.crt -infiles file.csr

# The tricky bit, combine file.key with the file.crt that was created above
    cat file.key file.crt >file.pem

# Create a file with a pfx extension, mozilla will use it.

    openssl pkcs12 -export -out file.pfx -in file.pem

In Mozilla, under settings, your certificates.. import file.pfx

In Apache:

# Where client-ca.crt is your PUBLIC CA. Apache will then use it to determine
# whether or not the cert sent from Mozilla was in fact signed by us.
# You should import this into mozilla as well, you're sort of taking the role
# of verisign by doing it. (well, in a cheesy way, but for small automated stuff
# should be OK.

SSLCACertificateFile  /home/joe/src/ttypackage/web/ssl/client-ca.crt
# Among other things...

SSLVerifyClient require

# And possibly other options..
SSLOptions +StdEnvVars +ExportCertData

Now you can have mozilla identify itself to an in-house apache web server
running SSL.
look at the environment variables to see the goodies available to CGI scripts.


-- Custom web programming
Perl * Java * UNIX                        User Management Solutions

Site Timeline