I'm not exactly sure what I am doing wrong so I will try to detail what I have
done in hopes that someone can give me some guidance.
First I started with a working Pound 2.1.7 install. Https is working and
happy.
Then I tried to add client side certificates, these are my steps:
1. Create a new CA
$ openssl req -new -x509 -days 3650 -keyout private/CAkey.pem -out CAcert.pem
-config openssl.cnf
2. Create a certificate request and an unencrypted private key
$ openssl req -new -keyout key.pem -out req.pem -days 3650 -config openssl.cnf
-nodes
3. Sign the certificate request with the CA’s certificate and private key
$ cat req.pem key.pem > new-req.pem
$ openssl ca -policy policy_match -out out.pem -config openssl.cnf -infiles
new-req.pem
4. Combine the certificate and key into one file
$ cat out.pem key.pem > cert.pem
5. Convert the pem format file to pkcs12 so it can be imported into the
browser
$ openssl pkcs12 -export -in cert.pem -out cert.p12
I then import the cert.p12 file into the web browser with no error and it
shows up under the client certs.
I add the following entries into pound.cfg:
CAlist "/etc/ssl/client_ca/CAcert.pem"
ClientCert 2 9
at this point when I try to connect to pound with the web browser( firefox ) a
client cert is requested - cool! But, when I select the imported cert it is
rejected by pound.
If is switch to the pound.cfg to contain ClientCert 3 9 I actually get
connected and the X-SSL-* headers are passed so I know that I am close, the
browser is sending the cert, and only the validation phase is broken.
If anyone has any advice I would really appreciate it.
Thanks,
Craig
|
