开发者

SSL client certificate needs special contents?

I have a server with an SSL certificate and clients with SSL cetificates, all are signed by the same CA, and the CA is trusted on the server and clients as a root authority.

However none of the clients I have tried (iphone, chrome, explorer) will send the client certificate when the server requests it, even though they all verify the server certificate fine. They all claim not to have the certificate.

When I look at the client certificate in the certificate/profile/store they all claim开发者_StackOverflow it is verified and legit, and all the certificates verify fine using openssl etc.

Does an SSL client certificate need a specific name or other details so that client browsers will know when to use it? Kinda of like how a server certificate has to specify the exact domain as the name on the certificate?

The server is an apache2.2 server, but I don't think its a problem on the servers end.


  1. Client certificates must have appropriate Key Usage and Extended Key Usage extensions set. What is "appropriate" in your case, I don't know for sure but the number of variants in Key Usage is small and you can check various values yourself.
  2. You surely haven't forgot about the private key which should be accessible on the client side, have you?


There's a summary of the key usage and extended key usage extensions to use in this document:

  • http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html

(Although it is for NSS, it should apply to other products.)

You could also check whether the list of accepted CAs sent by the server is configured properly. This can be seen using openssl s_client -connect the.host.name:443, for example.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜