i'm developing ios app wich uses third-party framework , ssl.
in order connect server need pass server certificate, client certificate , passphrase:
[hostconfiguration hostconfigurationwithaddress:@"demo.server...." port:743 securedwithssl:yes servercertpath:[[nsbundle mainbundle] pathforresource:@"server-cert" oftype:@"der"] clientcertchainpath:[[nsbundle mainbundle] pathforresource:@"client-cert" oftype:@"p12"] chainpassphrase:@"abcdefg"]; so, requested certificates support connect , send me zip file (i'm using mac):
- chain_2016.pem (mac identifies "root")
- passphrase
- yourcertificate.pem ("standard")
- yourcertificate.p12 ("personal")
the passphrase file contains 2 strings, passphrase p12 file , 32 characters long string wich not know for. looks this: 53cfe0e1914ef853e148f29c0a56b716
i know p12 file , passphrase correct.but confuses me 2 pem files need 1 der encoded certificate. tried convert each pem der using
openssl x509 -in ...
did not work...
i printed out content of both chain_2016 , yourcertificate.pem , noticed yourcertificate.pem contains chain_2016 plus 2 certs.
chain_2016.pem
cat chain_2016.pem -----begin certificate----- miiertccay2gawibagiinqskoyelgawwdqyjkozihvcnaqefbqawga8xhjacbgkq [...] vpepwkh17rzbvmktsdjqo1zch8xiwszp0dnjjw13zn/cpwbjkhy0lpa= -----end certificate----- -----begin certificate----- miifszccbdogawibagiipuhyasjrbr8wdqyjkozihvcnaqefbqawga8xhjacbgkq [...] zeitvrwyctzvo7nwb+zf -----end certificate----- yourcertificate.pem
cat yourcertificate.pem bag attributes localkeyid: 2e ec 57 1c 31 82 6d 82 68 59 86 93 fb fa 65 16 58 85 21 22 friendlyname: myapp.test.client key attributes: <no attributes> -----begin private key----- miievgibadanbgkqhkig9w0baqefaascbkgwggskageaaoibaqcu9uvuzylsoc5u [...] zoqqfirequ9kn4nhmzlkr0zy -----end private key----- bag attributes localkeyid: 2e ec 57 1c 31 82 6d 82 68 59 86 93 fb fa 65 16 58 85 21 22 friendlyname: myapp.test.client ...here other info subject/email etc... -----begin certificate----- miihljccbx6gawibagiietxy2amji0cwdqyjkozihvcnaqenbqawgbuxhjacbgkq [...] hdaq5p+vchfd8cgodi61yjb2pgjg67lwviu= -----end certificate----- bag attributes friendlyname: companyname meta root ca test ...again other info subject/email etc... -----begin certificate----- miiertccay2gawibagiinqskoyelgawwdqyjkozihvcnaqefbqawga8xhjacbgkq [this same 1 of certificates in chain_2016] vpepwkh17rzbvmktsdjqo1zch8xiwszp0dnjjw13zn/cpwbjkhy0lpa= -----end certificate----- bag attributes friendlyname: companyname sub test root ca 1 ...again other info subject/email etc... -----begin certificate----- miifszccbdogawibagiipuhyasjrbr8wdqyjkozihvcnaqefbqawga8xhjacbgkq [second certificate in chain_2016] zeitvrwyctzvo7nwb+zf -----end certificate----- since first time working ssl hope me. !
update:
pedrofb, said, tried:
i tried convert each pem der using
openssl x509 -in ...
did not work...
there 2 steps in using framework. first, establish connection server , perform action. using either of converted der-files allows me connect, when try perform action (eg. login) "you not authorized action". mean ok certificates , error comes somewhere else unrelated ssl?
it seems performing two-ways ssl. need:
- the server certificate path add truststore , verify during handshake. chain_2016.pem
- a client certificate present during handshake. yourcertificate.p12 , passhphrase
a pem file contain several certificates and/or private keys. separated ----- begin ----- -----end ----- headers.
probably have sent same information in yourcertificate.pem , yourcertificate.p12, changing format, , passwords correspond in first case private key , in second case password p12 file. can check easyly content of .p12 files gui tool keystoreexplorer or openssl
der binary format encode certificate. pem der file converted base64 , adding headers. convert pem der use openssl (see this)
openssl x509 -in chain_2016.pem -outform der -out chain_2016.der so, in summary, checking documentation, think need
servercertpath: chain_2016.der clientcertchainpath: yourcertificate.p12 chainpassphrase: thep12passphrase 
Comments
Post a Comment