Client certificates

Bryan Harris Thu, 27 Apr 2017 11:05:48 -0700

Hi folks,

I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and
running into an issue with client certificate authentication.


I've tried two methods to setup client certificates and each way I get the
error message in monit log.  The browser never asked me to select a
certificate.

SSL: client didn't send a client certificate

In my first attempt, I exported one of my CAC certificates (it does not
allow exporting the key, just the certificate).  It comes in DER format, so
I converted to PEM and gave that file to monit.  I also used the
ALLOWSELFCERTIFICATION option.

OpenSSL commands:

cd /etc/pki/tls/certs
openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem

Monit config like so:
set httpd port 443 and
    use address 192.168.80.130  # only accept connection from localhost
    ssl enable
    pemfile /etc/pki/tls/certs/server.cer
    clientpemfile /etc/pki/tls/certs/mycert.cer
    allowselfcertification
    allow admin:monit

The browser did not ask me to supply a certificate and monit gave the error.

SSL: client didn't send a client certificate

In the next situation I generated my own CA and used it to sign a
certificate.  That caused the same result: the browser never asked for a
cert, and monit gave the error above.

OpenSSL commands:

cd /etc/pki/tls
openssl genrsa -out private/ca.key 4096
openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey
private/ca.key -set_serial 01 -out certs/test.cer

Convert to p12 so I can import into Opera/Firefox/Chrome:

openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out
/home/sqltest/test.p12 -name "test"

Monit config like so:

set httpd port 443 and
    use address 192.168.80.130  # only accept connection from localhost
    ssl enable
    pemfile /etc/pki/tls/certs/server.cer
    clientpemfile /etc/pki/tls/certs/test.cer
    allowselfcertification
    allow admin:monit

Anytime I try to connect (I have tried a few browsers) I only get the error
message in the logs.  But the browser never lets me choose any cert I want
to send.  It seems as if Monit is not asking for a cert in the first place.

Does anybody have any ideas why this might happen?

Any help is appreciated.

V/r,
Bryan

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

Client certificates

Reply via email to