0

I want to hit the REST endpoints of a Server, say xyz.com. They have provided certificates in PEM format which I should be including in my application while connecting to their endpoints.

My application is written on Spring Framework and I need to convert PEM to P12 format as Spring won't accept PEM. This is how I convert:

openssl pkcs12 -export -out certificate.p12 -inkey private.pem -in server_cert.pem

Where,

certificate.p12 = resultant p12 file

private.pem = private key

server_cert.pem = certificate files of the server

The error I get is:

No certificate matches private key.

Now my questions:

  1. Whose private key should be used to generate the P12 file from the PEM file?
  2. If the private key of client is used to generate p12, how could it possibly match with the certificate (error message becomes obvious)?
  3. Why would I need my private key to communicate with the server? As per my understanding, during an SSL session, the private key of the client doesn't come into the picture. Or is my understanding wrong?
  4. If the private key of the server is used to generate p12, why would they share it?

I'm a novice and therefore any links/suggested-reading/sources/answers are welcome.

Akeshwar Jha
  • 4,516
  • 8
  • 52
  • 91
  • Where did you get your `server_cert.pem` from? When you were given a private key for you to use to connect to a server, you should also be given a signed certificate. From the name of the file, looks like you are using server_cert.pem, which i'm assuming will only include server's cert, not your cert. You should be doing it with the certificate that was signed for you to use. – always_a_rookie Oct 09 '17 at 16:05
  • The server dev provided it to all the clients who would be calling their endpoints. – Akeshwar Jha Oct 09 '17 at 16:07
  • Generally, most of the time`p12`'s will be given out to the clients. Have you tried asking them for a p12? And when you double click on the pem, the system certificate viewer opens up. What does the leaf certificate say about? Look for attributes like SubjectDN, IssuerDN, SubjectAltName. This should give an idea if you were given the right certificate. – always_a_rookie Oct 09 '17 at 16:11
  • The fields you mentioned seems legit. There are 4 certificates in total in the PEM file, upto the root level certificate which is self-signed. Every certificate has multiple fields, including the public key, but I can't find the private key anywhere. Can you please tell why is private key required for a P12 file (so that it needs to be distributed to the clients)? – Akeshwar Jha Oct 09 '17 at 18:51

1 Answers1

1

If you look at how the client-authentication works, in the 'Negotiation Phase', the second from the last point says:

The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.

So to answer your questions:

  1. You should be using the private-key that was given to you.
  2. A PKCS12 is a type of Java KeyStore, which is similar to a standard JKS. It can contain a list of keypair's. But the internet standard of PKCS12 is to have only 1 key pair entry, i.e., 1 Private Key with its associated certificate-chain. Since the private key and the certificate chain were given to you as separate entities, you should be constructing the PKCS12 yourself, which you will be using in your code, to authenticate your client to the server that is providing you the service.
  3. If you look at the steps of how the handshake happens at the protocol level, you should see that the client's private key (your private key) is used to sign some data and send to the server, where the server will be validating the authenticity of the message based on your public key. Once the server validates the message, it will come to a conclusion that you posses the private key.
  4. You wouldn't be given servers private key. You are given your (users) private key, which you guard it and shouldn't be giving to anyone.

There might be something missing or trivial error while you are constructing with p12 with the private key and the certificate chain, which is causing to fail. If it doesn't work out, you could also construct the p12 using the KeyStore api programmatically.

always_a_rookie
  • 4,515
  • 1
  • 25
  • 46