Avatar for Username

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Learn More

Chủ đề này đã được lưu trữ. Vui lòng hỏi một câu hỏi mới nếu bạn cần giúp đỡ.

Client certificate authentication with certificiates issued with Root CA without CN

  • 2 trả lời
  • 1 gặp vấn đề này
  • 20 lượt xem
  • Trả lời mới nhất được viết bởi cor-el

blazmalnersic
blazmalnersic
more options

Hi,

we are experiencing issues with client certificate authentication in Firefox and we suspect issue could be related to "badly" formatted root CA certificate. The root CA certificate (issued in 2003) contains Subject without CN (only OU, O and C). Also the value of extension 2.5.29.19 parameter "Path Lenght Constraint" is set to string value "None" - usually should be numeric, e.g. 0.

The issue occurs when web server requires client certificate authentication - Internet Explorer and Chrome will offer client certificate issued with such CA while Firefox won't. We tested with two web servers, Apache, which sends the CTL to browser and IIS, which does not (checked with openssl s_client) and results were the same - Firefox will not offer client certificate issued with mentioned CA. We tested scenarios with certificate (and root CA certificate) stored in Software security device and on smart card.

Is this behaviour by design?

Best regards, 

    Blaz
Hi, we are experiencing issues with client certificate authentication in Firefox and we suspect issue could be related to "badly" formatted root CA certificate. The root CA certificate (issued in 2003) contains Subject without CN (only OU, O and C). Also the value of extension 2.5.29.19 parameter "Path Lenght Constraint" is set to string value "None" - usually should be numeric, e.g. 0. The issue occurs when web server requires client certificate authentication - Internet Explorer and Chrome will offer client certificate issued with such CA while Firefox won't. We tested with two web servers, Apache, which sends the CTL to browser and IIS, which does not (checked with openssl s_client) and results were the same - Firefox will not offer client certificate issued with mentioned CA. We tested scenarios with certificate (and root CA certificate) stored in Software security device and on smart card. Is this behaviour by design? Best regards, Blaz

Tất cả các câu trả lời (2)

John99
John99
more options

Are you still looking for an answer to this ? I do not know the answer, but may be able to find someone who can help.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

See this page for contact information: