Этот сайт имеет ограниченную функциональность, пока мы проводим техническое обслуживание для улучшения его работы. Если какая-либо статья не решила вашу проблему и вы хотите задать вопрос, наше сообщество поддержки ждёт вас: @FirefoxSupport в Твиттере и /r/firefox на Reddit.

Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Подробнее

Import client certificate for website with selfsigned ssl certificate

  • 1 ответ
  • 8 имеют эту проблему
  • 9 просмотров
  • Последний ответ от n'Arno

more options

Hi,

I'm building a simple web tool box and i use a self-signed certificate for HTTP SSL encryption.

Furthermore, I'll use client certificate for authentication.

If i add an exception for the website, i can't later on install my client certificate (error message: the PKCS #12 operation failed for unknown reasons).

If i first add the client certificate, i can't then access the website to add an exception: sec_error_reused_issuer_and_serial

Even if i first add the my CA, it doesn't help.

Please find below the method i used to create my certificates:

  1. !/bin/bash

set -e

  1. Create the CA Key and Certificate for signing Client Certs

openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

  1. Create the Server Key, CSR, and Certificate

openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr

  1. We're self signing our own server cert here. This is a no-no in production.

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

  1. Create the Client Key and CSR

openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr

  1. Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.

openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

  1. Build client PKCS12

openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx

Best Regards,

Hi, I'm building a simple web tool box and i use a self-signed certificate for HTTP SSL encryption. Furthermore, I'll use client certificate for authentication. If i add an exception for the website, i can't later on install my client certificate (error message: the PKCS #12 operation failed for unknown reasons). If i first add the client certificate, i can't then access the website to add an exception: sec_error_reused_issuer_and_serial Even if i first add the my CA, it doesn't help. Please find below the method i used to create my certificates: #!/bin/bash set -e # Create the CA Key and Certificate for signing Client Certs openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # Create the Server Key, CSR, and Certificate openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr # We're self signing our own server cert here. This is a no-no in production. openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt # Create the Client Key and CSR openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr # Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do. openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt #Build client PKCS12 openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx Best Regards,

Изменено n'Arno

Все ответы (1)

more options

In the end, i used a StartSSL free certificate for the server and my own CA for the client BUT using 2 different values for set_serial should do the trick.