2

I'm developing an iOS app wich uses a third-party framework and SSL.
In order to connect to the server i need to pass a server certificate, a client certificate and a passphrase: 

[HostConfiguration hostConfigurationWithAddress:@"demo.server...."
                                           port:743
                                 securedWithSSL:YES
                                 serverCertPath:[[NSBundle mainBundle] pathForResource:@"SERVER-CERT" ofType:@"der"]
                            clientCertChainPath:[[NSBundle mainBundle] pathForResource:@"CLIENT-CERT" ofType:@"p12"]
                                chainPassphrase:@"ABCDEFG"];

So, i requested the certificates from their support to connect and they send me a zip file (i'm using a mac):

  • chain_2016.pem (mac identifies as "Root")
  • passphrase
  • yourCertificate.pem ("Standard")
  • yourCertificate.p12 ("Personal")

The passphrase file contains two strings, the passphrase for the p12 file and a 32 characters long string wich i do not know what it is for. It looks something like this: 53CFE0E1914EF853E148F29C0A56B716

I know the p12 file and the passphrase are correct.But what confuses me are the two PEM files where i only need one DER encoded certificate. I tried to convert each PEM to DER using
openssl x509 -in ...
But it did not work...

I printed out the content of both chain_2016 and yourCertificate.pem and noticed that yourCertificate.pem contains chain_2016 plus two extra certs.

chain_2016.pem

cat chain_2016.pem
-----BEGIN CERTIFICATE-----
MIIERTCCAy2gAwIBAgIINQskOyELGawwDQYJKoZIhvcNAQEFBQAwga8xHjAcBgkq
[...]
VPEpWKH17rzBvmktsDjqo1Zch8xiWSzP0DnJJw13Zn/cPwBJkHY0LPA=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIIPuhYaSjrBR8wDQYJKoZIhvcNAQEFBQAwga8xHjAcBgkq
[...]
ZeitvrwyCtzVo7NWb+Zf
-----END CERTIFICATE-----

yourCertificate.pem

cat yourCertificate.pem
Bag Attributes
localKeyID: 2E EC 57 1C 31 82 6D 82 68 59 86 93 FB FA 65 16 58 85 21 22 
friendlyName: myApp.test.client
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCu9UVuZyLsOc5u
[...]
zoQQfIreqU9KN4nhmZLKR0zY
-----END PRIVATE KEY-----
Bag Attributes
localKeyID: 2E EC 57 1C 31 82 6D 82 68 59 86 93 FB FA 65 16 58 85 21 22 
friendlyName: myApp.test.client
...Here some other info like subject/email etc...
-----BEGIN CERTIFICATE-----
MIIHljCCBX6gAwIBAgIIETxy2amJI0cwDQYJKoZIhvcNAQENBQAwgbUxHjAcBgkq
[...]
hdAq5P+vcHfD8cGOdI61yJB2PgJg67lWviU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: CompanyName Meta ROOT CA TEST
...Again some other info like subject/email etc...
-----BEGIN CERTIFICATE-----
MIIERTCCAy2gAwIBAgIINQskOyELGawwDQYJKoZIhvcNAQEFBQAwga8xHjAcBgkq

[This is the same as one of the certificates in chain_2016]

VPEpWKH17rzBvmktsDjqo1Zch8xiWSzP0DnJJw13Zn/cPwBJkHY0LPA=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: CompanyName SUB TEST ROOT CA 1
...Again some other info like subject/email etc...
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIIPuhYaSjrBR8wDQYJKoZIhvcNAQEFBQAwga8xHjAcBgkq

[Second certificate in chain_2016]

ZeitvrwyCtzVo7NWb+Zf
-----END CERTIFICATE-----

Since this is my first time working with SSL my hope is that somebody could help me. Thanks !

UPDATE:
Thanks pedrofb, as i said, i already tried:

I tried to convert each PEM to DER using
openssl x509 -in ...
But it did not work...

There are two steps in using this framework. First, establish a connection to the server and then perform an action. Using either of the converted DER-Files allows me to connect, but when i try to perform an action (eg. login) i get "You are not authorized for this action". Does this mean everything is OK with the certificates and the error comes from somewhere else unrelated to SSL?

Alexander Harl
  • 122
  • 10
  • The last message is a controlled error. Seems the SSL connection has been stablished and the backend server is responding – pedrofb Aug 03 '16 at 06:02

1 Answers1

1

It seems that you are performing a two-ways SSL. You need:

  • The server certificate path to add to your truststore and verify during handshake. Probably chain_2016.pem
  • A client certificate to present during handshake. yourCertificate.p12 and passhphrase

A PEM file could contain several certificates and/or private keys. They are separated by ----- BEGIN ----- -----END ----- headers.

Probably they have sent the same information in yourCertificate.pem and yourCertificate.p12, simply changing the format, and the passwords correspond in the first case to the private key and in the second case the password for the p12 file. You can check easyly the content of .p12 files with GUI tool KeyStoreExplorer or openssl

DER is a binary format to encode the certificate. PEM is a DER file converted to base64 and adding the headers. To convert the PEM to DER use openssl (see this)

 openssl x509 -in chain_2016.pem -outform der -out chain_2016.der

So, in summary, checking your documentation, I think you would need

serverCertPath: chain_2016.der
clientCertChainPath: yourcertificate.p12
chainPassphrase: theP12Passphrase
pedrofb
  • 37,271
  • 5
  • 94
  • 142