1

I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.

Installing the certificate and trying to access the restricted area in various browsers gives the following results:

  • IE6 - Works fine and I can retrieve the WSDL

  • IE7 - Prompts for the certificate but then fails with a 403.7 from the server

  • Firefox3 - Set to ask, but no prompt and fails with a 403.7

  • Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7

Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.

Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?

Any help would be greatly appreciated.

2 Answers2

2

This really works! If you're confused by the -inkey and -in options, they are the private key and certificate from the p12 file. You can convert the p12 file to pem format with:

openssl pkcs12 -in file.p12 -clcerts -out file.pem

and use the above command with "-in file.pem" only.

Also, you can import the root CA cert into your trusted certs store, here is the description how to do that: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl, and then you don't have to manually copy the certificates. After installing the cert use the command above without the "-CAfile chain.pem".

Gergely Szakács
  • 21
  • 2
1

Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:

openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12