For a proof of concept development, I have an HAProxy server running on my local machine (OSX) which is expecting to make a 2-way TLS with any client and then forward that client to a web server.
I followed this tutorial to get the authentication set up and this tutorial to create my own certificates. My haproxy config file looks like this:
global
log 127.0.0.1 local1 notice
frontend intranet
mode http
log-format %T\ %t\ %U
log global
bind *:2000 ssl crt both.pem ca-file myCA.pem verify required
default_backend helpdesk
backend helpdesk
mode http
server helpdesk 127.0.0.1:9000 check
both.pem
has the private RSA key used to generate the root CA and the certificate itself, and myCA.pem
is just the certificate. This works, but if there is a better way to do this, please let me know. It seems unnecessarily repetitive to include the certificate twice.
I can connect to the server using openssl s_client -connect 127.0.0.1:2000 -cert ./derived.crt -key ./derived.key
. I can also connect by replacing the derived certificate and key with the root certificate and key. Both ways, I get a successful handshake and a connection to the web server on port 9000 (I can send GET and receive back html). For sanity, I also generated a second, unrelated root CA that fails to make the handshake.
I have tried adding both the derived CA and the root CA to my certificates, following the second tutorial's instructions. They get added and are trusted, but Safari still can't connect to the server. It tells me the server unexpectedly dropped the connection (I'm assuming this means the handshake failed or possibly wasn't even attempted). Chrome says it received an empty response.
I am going to try with postman to see if I can get back the same response that openssl gets when I fail (it explicitly tells me the handshake failed), but I wanted to ask this here in case I'm missing something simple that one of you knows about. Any help is greatly appreciated.
UPDATE: I see that I needed to add https:// to the beginning of the address. Now the browser asks me to choose which certificate to use. But, it only shows two certificates that are available by default in the system (certificates from work) and not my new one, which appears in the keychain list.
UPDATE 2: There are two different sections in the keychain for certificates. One is just called "Certificates." That's where my certificates go when I import them. The other is called "My Certificates," and it seems to be a subset of the "Certificates." I'm thinking if I can find a way to add my custom certificate here, then I can use it.
Problem was solved using a post I eventually found on Ask Different.
The command openssl pkcs12 -export -clcerts -inkey private.key -in certificate.crt -out MyPKCS12.p12 -name "Your Name"
can be used to create a certificate that can be added to the keychain and then selected in Safari when the connection to the server is made.
이 기사는 인터넷에서 수집됩니다. 재 인쇄 할 때 출처를 알려주십시오.
침해가 발생한 경우 연락 주시기 바랍니다[email protected] 삭제
몇 마디 만하겠습니다