[Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]
sebastien.pouliot at gmail.com
Wed Sep 28 09:20:38 EDT 2005
On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote:
> > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store)
> > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12)
> > > > or add only the CA to the trust store
> > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer)
> > > > or anything else to get rid of this error message?.
> > >
> > > It must be either the user or machine Trusted store (otherwise you'll
> > > get a trust error).
> > OK. But witch certificate is preferable to add to the store?:
> > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12
> > or
> > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer
Trust is transitive, i.e. the server will be trusted if it's signer is
trusted. So only the self-signed root certificate needs to be added to
the Trust store.
> > I also have a question about the trust of the root CA certificate.
> > The cacert16t.cer above I have created with the following
> > openssl commands:
> > ...
> > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert"
> > -out cacert16t.pem
> > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out
> > cacert16t.cer
> > is the first openssl command necessary since the signed client
> > and server certificates, or at least its root CA,
> > should be added to the Windows/Mono (Trust) store?.
> > Currently I use the cacert16t.pem file as -certfile
> > when creating the client and server PKCS#12 files -
> > with the openssl pkcs12 command.
> > Will the cacert16.pem file be enough?
I honestly don't know (without reading the man page myself). I don't use
openssl much (for x.509 related stuff) because (a) it's formats aren't
the one natively used in .NET and (b) I try to dogfood my own tools ;-)
> > > Yesterday (after your previous email) I tried to use the MS runtime for
> > > client certificate without success (same failure). Somehow MS does
> > > something different* because the server can't verify the signature (and
> > > it's not a key and/or decryption problem - the hash value is different
> > > but the padding is ok).
> > >
> > > Using IE (with the SSL2 client hello) to do the same turned out another
> > > problem, very similar to the bug #76254 reported today.
> > >
> > > [*] The client certificate testing is done with wget/openssl
> > > (linux/cygwin) - which sadly doesn't seems enough :(
> > Please let me know if you come up with some solution.
> > I have been working with the HTTPS communication for some 2 months now,
> > and my boss is eager to get an solution :-).
Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client
certificate doesn't work with IE."). That way you'll get notified as
soon as (and whenever) I change the bug status.
email: sebastien at ximian.com
More information about the Mono-devel-list