IceSSL with Windows Certificate Store

renzorenzo Member Aleksey BlokhinOrganization: JSC "SRI Vector"Project: Remote host monitoring system
edited July 2016 in Help Center

Hello!

Could you help me, please, to understand how I can force IceSSL to work with the Windows Certificate Store.

Using openssl (openssl req -x509 -newkey rsa:2048 -keyout cert.key -out cert.crc), I've created two files: cert.crc (public key) and cert.key (private server key). Based on this two files I've created pfx certificate (openssl pkcs12 -export -in cert.crc -inkey cert.key -out cert.pfx). On the server side I've added the cert.pfx via mmc.exe to the 'Trusted Root Certification Authorities" branch.

The server configuration contains the following properties:
IceSSL.FindCert="subject:"Renzo"
IceSSL.CertStore=Root
IceSSL.CertStoreLocation=LocalMachine
IceSSL.TrustOnly=CN=Renzo
Ice.Override.Secure=1

The server runs without errors.

On the client side, I've added the cert.crc via mmc.exe to the 'Personal' branch.
If I try to create proxy to ssl endpoint without any properties like this:
Demo::ITestPrx::checkedCast(communicator->stringToProxy("test:ssl -p 10001"));
then I get an exception: "StreamSocket.cpp:452: Ice::ConnectionLostException: connection lost"
If I set the following properties on the client side:
IceSSL.FindCert="subject:"Renzo"
IceSSL.CertStore=My
IceSSL.CertStoreLocation=LocalMachine
IceSSL.TrustOnly=CN=Renzo
I get an exception "SChannelEngine.cpp:740: Ice::SecurityException: security exception: IceSSL: failed to acquire credentials handle".

What am I doing wrong?

Thank you!

Comments

  • xdmxdm ZeroC Staff La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    Hi,

    I think you have an extra quote in FindCert. I think you should also be using the CurrentUser store.

    Using Ice hello demo as example the configuration should be something like:

    import certs/cacert.der to the trusted certificate authorities store
    import cert/client.p12 to the CurrentUser Personal Store
    import cert/server.p12 to the CurrentUser Personal Store

    Client configuration:

    Ice.Plugin.IceSSL=IceSSL:createIceSSL
    IceSSL.UsePlatformCAs=1
    IceSSL.FindCert=SUBJECT:Client
    IceSSL.CertStore=My
    IceSSL.CertStoreLocation=CurrentUser
    IceSSL.Password=password
    IceSSL.TrustOnly.Server=CN=127.0.0.1
    

    Server configuration:

    Ice.Plugin.IceSSL=IceSSL:createIceSSL
    IceSSL.UsePlatformCAs=1
    IceSSL.FindCert=SUBJECT:127.0.0.1
    IceSSL.CertStore=My
    IceSSL.CertStoreLocation=CurrentUser
    IceSSL.Password=password
    IceSSL.TrustOnly.Client=CN=client
    

    For the details on these properties consult IceSSL property reference.

  • renzorenzo Member Aleksey BlokhinOrganization: JSC "SRI Vector"Project: Remote host monitoring system

    Thank you for your response!

    The problem was that client's and server's cert file must be in a PFX format, but I had in a PEM

  • xdmxdm ZeroC Staff La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    Glad you get it working, when you import a PEM certificate you import only the public key hence the failure to acquire the credentials because there isn't a private key associated.

Sign In or Register to comment.