1

I'm in the process of testing a system using Cucumber, part of which involves authenticating on a remote .NET server using an SSL client certificate. The developer of this .NET system has provided me with this certificate in the form of a .pem file which looks like this:

    -----BEGIN CERTIFICATE-----
    MIIFzTCCBLWgAwIBAgIKHNfvKAAAAAAAFDANBgkqhkiG9w0BAQUFADBKMRMwEQYK
    ...more lines...
    aaG0c6enKQJiVcA4myLkBkN/wxiZsnBy/zGdj+u4RurxcS717FKm7oYY3JsuRSRH
    Ow==
    -----END CERTIFICATE-----

The code I'm using to connect looks something like this (taken from http://www.rubyinside.com/nethttp-cheat-sheet-2940.html):

    uri = URI.parse("https://secure.com/")
    pem = File.read("/path/to/my.pem")
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true
    http.cert = OpenSSL::X509::Certificate.new(pem)
    http.key = OpenSSL::PKey::RSA.new(pem)
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE

    request = Net::HTTP::Get.new(uri.request_uri)

However, the line 'http.key = OpenSSL::PKey::RSA.new(pem)' raises the following exception:

    Neither PUB key nor PRIV key:: nested asn1 error (OpenSSL::PKey::RSAError)

I was originally using HTTParty to make the request but had the same problem which I traced to basically the same line within HTTParty itself.

It appears that this certificate I've been given can happily be passed into OpenSSL::X509::Certificate.new to create a certificate object, but it can't be used to create an instance of OpenSSL::PKey::RSA. I've tried removing the line that sets the key, but then the authentication fails. It's possible that this is in fact what I should be doing and that the authentication is failing for some other reason, but I need a clearer idea as to what is going on here before I start digging for problems elsewhere.

From this SO question: What causes "Neither PUB key nor PRIV key:: nested asn1 error" when building a public key in ruby? ... it appears as though a private key should somehow be included in the pem file, but the .NET developers seem to think that this isn't necessary.

Pinning down the .NET developers to get a clear idea as to how exactly their authentication works is proving difficult and I can't seem to find clear info online either. Can anyone shed any light on this?

Community
  • 1
  • 1
griswoldbar
  • 499
  • 3
  • 10

1 Answers1

0

Ok in the 34 minutes since posting this, I've figured it out.

The pem file I was using should have contained a private key as well. I acquired a password protected .pfx file from the .NET guys and generated my own pem as follows:

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

This file contains both certificate and private key and everything now works as it should.

griswoldbar
  • 499
  • 3
  • 10