1

It is not a duplicate but a similar question to this one: Multiple GitHub Accounts & SSH Config

I need to access several servers using different https client certificates (and obviously using different identities)

when I access the same servers using a browser, the browser asks which of the available client certificates I want to use.

when I try to clone using 

git clone https://user@server.domain.tld/path/to/repository.git

git just picks the "first available" of the matching certificates, which is the wrong one and doesnt get accepted.

if I remove the wrong certificate from the windows certificate store, until the correct one becomes the first pick, everything works as expected.

question how can I tell git, which certificate to use (I could provide the serial number or the fingerprint of the certificate that is to be used)

If git would let me choose the certificate interactively, this would be fine as well

in case there is a difference: windows 10, git version 2.13.3.windows.1

UPDATE 9.9.2018: updated git to 2.18.0 => same behaviour

ADDITIONAL INFO apparently, I am using the schannel sslBackend which is using the windows certificate stores. My understanding is that http.sslKey can be configured to point to a file containing the private key.

As my client certificate is located on a smart card, there is no way to extract the private key part from the card.

iPirat
  • 2,197
  • 1
  • 17
  • 30
  • Usually in a HTTPS connection the server sends the info to the client which certificates (or better which CAs) it will accept. Based on this info the client can automatically select the correct certificate. If the server do not send this info or if git does not handle the info correctly you end up as you have described. However GIT via HTTPS with client cert is a very uncommon way to access a repo. I would assume that this access way is not well tested as key based access usually uses ssh. – Robert Sep 09 '18 at 13:51
  • @Robert you are absolutely right. and the server does send the correct CA infos. I do have several client certificates though (different identities). So I end up having multiple client certificates that are technically possible. Granting different acccess rights though => so need to select the correct one – iPirat Sep 09 '18 at 13:57
  • 1
    Have you configured each repo to use the correct cert via `git config --local http.sslCert` and `git config --local http.sslKey`? – Robert Sep 09 '18 at 14:15
  • @robert sslCert is not set but it's fine (that one is responsible that git will trust the server and the trust is working without problems). I **think** that `http.sslKey` may be the option I'm looking for (guessing from its name). A quick search didnt reveal any docs on that option. I'll continue googling, but if you have a link handy, I'd be glad if you post it. Thanks! – iPirat Sep 09 '18 at 14:21
  • found some infos on `http.sslKey` on the net => this one will expect a file containing the private key. which is on a smart card (I added some additional infos in original question) – iPirat Sep 09 '18 at 14:37

0 Answers0