Home Help Center

Ice SSL server and client both require private keys for mutual authentication.

rensingrensing Member Rick EnsingOrganization: The PEER GroupProject: Connection Management
I have a server that manages multiple client connections over the ICE framework. I'm trying to use ICESSL to establish an SSL connection between server and clients.

Used MakeCert.exe to generate a self-signed CA certificate and also used MakeCert.exe to generate an application specific certificate using this self-signed CA.

Installed the CA public key into LocalMachine.TrustedRoot of the server machine and the application public AND private keys into the LocalMachine.Personal cert store location.

Installed the CA public key into CurrentUser.TrustedRoot of a client machine and the application public key into the CurrentUser.Personal cert store location.

Verified that the cert chain is correct, valid and complete.

I have created a cert verifier for the both the server and the client. The certificates are referenced in the configuration files using the thumbprints of the application specific certificate. I've included the IceSSL section of both the server and client configurations below:

IceSSL.FindCert.LocalMachine.My=thumbprint:"7d 1b 77 dd 7b bd 49 c9 67 36 52 79 e1 cf e8 9d 81 aa 36 7b"
IceSSL.TrustOnly=CN=PEER Group REMC

IceSSL.FindCert.CurrentUser.My=thumbprint:"7d 1b 77 dd 7b bd 49 c9 67 36 52 79 e1 cf e8 9d 81 aa 36 7b"
IceSSL.TrustOnly=CN=PEER Group REMC

Based on the documentation and these settings, I was hoping to achieve an SSL connection WITH mutual authentication. The above configuration does NOT work. The server receives an empty list of certificates in the cert verifier, indicating that the server is not receiving the client cert chain and explaining why, if the VerifyPeer=0 setting is added, communication is established but mutual authentication is 'no'.

IF I put the public AND private keys of the application certificate into BOTH machine 'Personal' cert store locations, it does work and mutual auth is achieved. However, requiring the private key on both sides does NOT provide the required security.

Question 1: is there a way to have the private key on only one side of an SSL interaction AND achieve mutual authentication.

Further observation: On the client machine, if I have the public key only in the CurrentUser.Personal location and have both public and private in the LocalMachine.Personal location, and I run the client in non-admin mode, it still works; it appears that the ICE SSL implementation is actually using both cert store locations to try and locate the required private key.

Question 2: shouldn't the key lookup be restricted to ONLY the location defined in the configuration file?

I look forward to any feedback or assistance that someone may have on these items.


  • rensingrensing Member Rick EnsingOrganization: The PEER GroupProject: Connection Management

    On further investigation, discovered that I was not understanding and implementing mutual auth correctly.

    Updated to have one cert for the server and a DIFFERENT one for the client (in hindsight, an obvious oversight). Each party has their own private key in the Personal location of the cert store and the public key of the other party also in the Personal location of the cert store.

    Then each party references the Thumbprint of the their specific cert and all is well. As long as the self-signed CA cert is in the Trusted Root of the same StoreLocation, the proper chain of certs is passed to the other party, is mutually authenticated and optionally certified by each party's CertVerifier implementation.
  • mesmes CaliforniaAdministrators, ZeroC Staff Mark SpruiellOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    Welcome to the forum.

    I'm glad you figured it out. Thanks for following up and explaining the resolution.

Sign In or Register to comment.