The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 DO NOT!! use PKCS#12
Author: Kaur 
Date:   04-04-02 13:13

Using PKCS#12 for getting server cert into browser is overkill.

But sending your server's PRIVATE KEY to the client PC is an absolute NO-NO!

What yous should do:
you should import your CA's certificate (or, if you really wish, your server's cert) into browser in their native .PEM format. DER would also work, but you have them in PEM already.

How to do it:
- copy the cacert.pem to any place in the server where it can be accessed by browser.
- in your web server config, the MIME type for .pem files must be application/x-x509-ca-cert. If it is not, set it to be. Or define a custom extension, like .cacert, with the same MIME-type.
- point your browser to this file, open it, view it, click 'install', answer 'yes' to most questions.
voila!

Your current suggestion - export the server's private key to the outside world - kills the whole idea of using SSL, you could as well just use plain HTTP.

Reply To This Message
 
 Re: DO NOT!! use PKCS#12
Author: Dan Langille 
Date:   04-04-02 18:20

Kaur wrote:
>
> Using PKCS#12 for getting server cert into browser is
> overkill.

Why?

> But sending your server's PRIVATE KEY to the client PC is an
> absolute NO-NO!

Could you please copy and paste exactly what is being done incorrectly? With that I can amend the document. Without it, I have no idea what, exactly, is wrong. Also helpful would be the corrections in addition to the original.

> Your current suggestion - export the server's private key to
> the outside world - kills the whole idea of using SSL, you
> could as well just use plain HTTP.

I agree. Now, where is it, exactly, that the server's private key is being given to the outside world? It's a big document, and it's not like it was written yesterday.

Reply To This Message
 
 Re: DO NOT!! use PKCS#12
Author: Erik 
Date:   05-04-02 19:26

>> But sending your server's PRIVATE KEY to the client PC is an
>> absolute NO-NO!
>
>Could you please copy and paste exactly what is being done
>incorrectly? With that I can amend the document. Without it,
>I have no idea what, exactly, is wrong. Also helpful would be
>the corrections in addition to the original.

All of section "Converting the certificate to pkcs12 format" is wrong. PKCS#12 is used for transporting a private key of a client certificate to the browser. There should be no need to convert the server certificate to PKCS#12 format. Basically you are handing out your server secret key to everyone to use as a client certificate when you give them the iestuff.p12 file.

So, to do it correctly, convert your client certificate (if you need one) to PKCS#12 to get the private key into the browser. Never the server one.

To make the client to trust the server certificate import the CA certificate in the client. It's the demoCA/cacert.pem file. I am on a Linux box right now, but basically in Windows you should be able to just double click on the file and it will ask you whether you want to import and trust it. Possibly you must rename the file to .crt, .cer or .der. Don't remember right now.

However you cannot expect (or at least in an ideal world you would not be able to expect) your customers to trust your own homemade CA certificate. Instead you would buy your server certificate from a real CA, and then you would not need to do anything on the client side.

Hope this helps.

/Erik

Reply To This Message
 
 Re: DO NOT!! use PKCS#12
Author: Dan Langille 
Date:   06-04-02 03:16

Erik wrote:

> All of section "Converting the certificate to pkcs12 format"
> is wrong. PKCS#12 is used for transporting a private key of a
> client certificate to the browser. There should be no need to
> convert the server certificate to PKCS#12 format. Basically
> you are handing out your server secret key to everyone to use
> as a client certificate when you give them the iestuff.p12
> file.

Ahh, the goal was to convert the client certificate. Not the server certificate. I bet it's an error propogated from copy/paste.

> So, to do it correctly, convert your client certificate (if
> you need one) to PKCS#12 to get the private key into the
> browser. Never the server one.

Agreed.

> However you cannot expect (or at least in an ideal world you
> would not be able to expect) your customers to trust your own
> homemade CA certificate.

Well, yes. I was creating a client certificate for my own use. I don't want just anyone browsing the admin pages of this web site....

> Instead you would buy your server
> certificate from a real CA, and then you would not need to do
> anything on the client side.

Sound advice for commercial site. Not practical for me though.

Thank you.

Reply To This Message
 
 article was good
Author: Andrew 
Date:   26-06-02 04:19

unlike most of those pedants - i thought this was a great article with an excellent reference how-to

good on you

Reply To This Message
 
 Some more links (Was: article was good)
Author: cam 
Date:   13-09-02 17:08

Andrew,

this isn't pedantry - making the mistake of exporting your server's private key invalidates the entire process. Would you say it was pedantic for banks to advise people not to write their PIN number on their bank cards in dayglo ink? Practical, yes, pedantic, no.

Otherwise, yes, a good article. For reference, here are the MIME type lines needed for apache's conf file to allow you to place server certs, crls and client certs - encrypted, of course - onto your site.

AddType application/x-x509-ca-cert crt
AddType application/x-pkcs7-crl crl
AddType application/x-x509-user-cert p12

For an admittedly technical lowdown on the various PKCS formats, see:

http://www.rsasecurity.com/rsalabs/pkcs/index.html

Also good intro stuff on certificates, see the stunnel site:

http://www.stunnel.org/faq/certs.html#ToC1

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org