2

I am creating a website (with OpenResty, but I don't believe that is relevant) which accepts only HTTPS connections with client certificate verification. I followed http://www.integralist.co.uk/posts/clientcertauth.html for generating my own Certificate Authority, a Certificate Signing Request, and a CRT. I then tested that my webserver properly accepts this CRT when I go to a URL with python

certName = "mycert"
cert = (certName + ".crt", certName + ".key")
response = requests.get(url, params=urlencode(payload), cert=cert, verify=False, stream=True)

Now, I am trying to access the same URL from Google Chrome. I used Settings --> HTTPS/SSL --> Manage certificates --> Import to import my CRT file. However, whenever I go to the URL, I always get 400 Bad Request - no required SSL certificate was sent. By looking at nginx error log, I confirmed that "client sent no required SSL certificate"

How do I tell Chrome to use a certificate for a specific URL?

Paul Grinberg
  • 647
  • 6
  • 26
  • 1
    For client authentication you need the certificate AND THE PRIVATE KEY (in one certstore entry). That webpage hurts my eyes, but it looks like you used openssl; if so you can use openssl to combine the private key and certificate chain into a pkcs12 (aka PFX) and import that into the Windows store Chrome uses, see http://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate or http://stackoverflow.com/questions/553149/is-it-possible-to-convert-an-ssl-certificate-from-a-key-file-to-a-pfx – dave_thompson_085 Mar 16 '17 at 03:58
  • 1
    Note this doesn't tell Chrome to use it 'for a specific URL'; it will be used for any server which requests certs using the CA name in this cert. Since you apparently set up your own CA, presumably only servers you control will request certs using that CA name. – dave_thompson_085 Mar 16 '17 at 04:00

1 Answers1

2

There are several things to be addressed here.

  1. Have you installed the CA certificate in the corresponding CA stores?
  2. You will need to import the client certificate along with the private key in the current user store. The file extension is .pfx. You are currently getting the 400 error as the browser thinks it doesn't have any client certificate to work with.
  3. You cannot specify chrome to use a specific cert for specific URL.

Refer this blogpost on how TLS Mutual auth works: https://blogs.msdn.microsoft.com/kaushal/2015/05/27/client-certificate-authentication-part-1/

Kaushal Kumar Panday
  • 2,105
  • 9
  • 17