为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Import client certificate for website with selfsigned ssl certificate

  • 1 个回答
  • 8 人有此问题
  • 9 次查看
  • 最后回复者为 n'Arno

more options

Hi,

I'm building a simple web tool box and i use a self-signed certificate for HTTP SSL encryption.

Furthermore, I'll use client certificate for authentication.

If i add an exception for the website, i can't later on install my client certificate (error message: the PKCS #12 operation failed for unknown reasons).

If i first add the client certificate, i can't then access the website to add an exception: sec_error_reused_issuer_and_serial

Even if i first add the my CA, it doesn't help.

Please find below the method i used to create my certificates:

  1. !/bin/bash

set -e

  1. Create the CA Key and Certificate for signing Client Certs

openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

  1. Create the Server Key, CSR, and Certificate

openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr

  1. We're self signing our own server cert here. This is a no-no in production.

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

  1. Create the Client Key and CSR

openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr

  1. Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.

openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

  1. Build client PKCS12

openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx

Best Regards,

Hi, I'm building a simple web tool box and i use a self-signed certificate for HTTP SSL encryption. Furthermore, I'll use client certificate for authentication. If i add an exception for the website, i can't later on install my client certificate (error message: the PKCS #12 operation failed for unknown reasons). If i first add the client certificate, i can't then access the website to add an exception: sec_error_reused_issuer_and_serial Even if i first add the my CA, it doesn't help. Please find below the method i used to create my certificates: #!/bin/bash set -e # Create the CA Key and Certificate for signing Client Certs openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # Create the Server Key, CSR, and Certificate openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr # We're self signing our own server cert here. This is a no-no in production. openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt # Create the Client Key and CSR openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr # Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do. openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt #Build client PKCS12 openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx Best Regards,

由n'Arno于修改

所有回复 (1)

more options

In the end, i used a StartSSL free certificate for the server and my own CA for the client BUT using 2 different values for set_serial should do the trick.