Archived
IceSSL with Windows Certificate Store
Hello!
Could you help me, please, to understand how I can force IceSSL to work with the Windows Certificate Store.
Using openssl (openssl req -x509 -newkey rsa:2048 -keyout cert.key -out cert.crc), I've created two files: cert.crc (public key) and cert.key (private server key). Based on this two files I've created pfx certificate (openssl pkcs12 -export -in cert.crc -inkey cert.key -out cert.pfx). On the server side I've added the cert.pfx via mmc.exe to the 'Trusted Root Certification Authorities" branch.
The server configuration contains the following properties:
IceSSL.FindCert="subject:"Renzo"
IceSSL.CertStore=Root
IceSSL.CertStoreLocation=LocalMachine
IceSSL.TrustOnly=CN=Renzo
Ice.Override.Secure=1
The server runs without errors.
On the client side, I've added the cert.crc via mmc.exe to the 'Personal' branch.
If I try to create proxy to ssl endpoint without any properties like this:
Demo::ITestPrx::checkedCast(communicator->stringToProxy("test:ssl -p 10001"));
then I get an exception: "StreamSocket.cpp:452: Ice::ConnectionLostException: connection lost"
If I set the following properties on the client side:
IceSSL.FindCert="subject:"Renzo"
IceSSL.CertStore=My
IceSSL.CertStoreLocation=LocalMachine
IceSSL.TrustOnly=CN=Renzo
I get an exception "SChannelEngine.cpp:740: Ice::SecurityException: security exception: IceSSL: failed to acquire credentials handle".
What am I doing wrong?
Thank you!
Comments
-
Hi,
I think you have an extra quote in FindCert. I think you should also be using the CurrentUser store.
Using Ice hello demo as example the configuration should be something like:
import certs/cacert.der to the trusted certificate authorities store
import cert/client.p12 to the CurrentUser Personal Store
import cert/server.p12 to the CurrentUser Personal StoreClient configuration:
Ice.Plugin.IceSSL=IceSSL:createIceSSL IceSSL.UsePlatformCAs=1 IceSSL.FindCert=SUBJECT:Client IceSSL.CertStore=My IceSSL.CertStoreLocation=CurrentUser IceSSL.Password=password IceSSL.TrustOnly.Server=CN=127.0.0.1
Server configuration:
Ice.Plugin.IceSSL=IceSSL:createIceSSL IceSSL.UsePlatformCAs=1 IceSSL.FindCert=SUBJECT:127.0.0.1 IceSSL.CertStore=My IceSSL.CertStoreLocation=CurrentUser IceSSL.Password=password IceSSL.TrustOnly.Client=CN=client
For the details on these properties consult IceSSL property reference.
0 -
Thank you for your response!
The problem was that client's and server's cert file must be in a PFX format, but I had in a PEM
0 -
Glad you get it working, when you import a PEM certificate you import only the public key hence the failure to acquire the credentials because there isn't a private key associated.
0