Intermediate CA SSL File - How to use

[BColladay]

I am getting a "certificate not trusted" only on Android Devices.  It is a GoDaddy certificate and work on every browser everywhere except Android.  This is a known issue when you don't have the intermediate CA file, this is the solution:

http://community.godaddy.com/help/article/870?isc=smfor1


Does anybody know how to use an intermediate certificate along with the key and standard crt file on NTWS?

[Bruce]

I haven't chased this down in a while myself, but as I recall you just put the two certificates into the same text file. ie you use notepad to "merge" the two together. But as I say, it's been a long time since I did this.

If you get it right please make a note here as to what you did for future reference.

cheers
Bruce

[BColladay]

Okay, it was easy enough...I just don't know why / how it works...but I finally just renamed my intermediate CA fiel(p7b) to my NTWS [certificatename].pem that seemed to fix it.  I couldn't get it to work through many incantations of combining the certificate files.

[BColladay]

Ok, so I jumped the gun as usual...When I "fixed" it for "Android" it broke it for everything else...I'll let you know.

[Alberto]

Hi, Im with a serious problem too.
I need to comunicate with a Web Service, they gave me two certificates (.cer) , one is CA and I cant open a single https page to check it.
I´ve tried it with Firefox and it opens the page ok but trying with the demo app its imposible.
Sory if I boder you, I´ve poseted some messages but... no response.
Do you know how to deal with certificates?
The NT docs are so vague on it and I dont understand what to do.
Whats the difference betwen use a .cer /.key files and only use a CA file?
What does
DontVerifyRemoteCertificateCommonName and
DontVerifyRemoteCertificateWithCARoot
means and how to use this switches ?
Thanks in advance.
Alberto

[BColladay]

Alberto, I am also interested in finding out how to use those settings, specifically: SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot  It seems I need to do just that in order to get Android devices to trust the certificate. 

I can tell the browser to ignore the trust issue but it tries to "download" pdf files instead of "browsing" them in the browser.  Apparently the downloader in Android has no method by which to let you know the certificate isn't trusted and it just sits there unable to start the file download.

[BColladay]

This page and the copied section below seem to say that pem files are used by NTWS.


http://www.capesoft.com/docs/nettalk/NetTalkWebSecure.htm#Create_Certificate_Signing_Request

Part 3
Open a command prompt window, go to the temp folder
type
openssl pkcs12 -in whatever.pfx -info -out whatever.pem -nodes
openssl pkcs12 -in whatever.pfx -clcerts -nokeys -out whatever.crt
openssl pkcs12 -in whatever.pfx -nocerts -out whatever.key

Part 4

Copy the pem, crt and key files to your \certificates folder

I tried using this:

Code: [Select]

ThisWebServer.SSLCertificateOptions.CARootFile = clip('web') & '\' & clip(lcl:CertPathName) & '.pem'
In the embed section shown here:

Code: [Select]

! Start of "WindowManager Method Executable Code Section"
  ! [Priority 50]
        lcl:CertPathName = 'Certificates\' & getini('pathinfo', 'certname', 'setting', '.\PDSwebpath.ini')       
        lcl:UserDefPort = getini('pathinfo', 'port', '89', '.\PDSwebpath.ini')
  ! [Priority 300]
  DO CleanUpTempFiles
  ! Enter procedure scope
  GlobalErrors.SetProcedureName('WebServer')
  ! [Priority 800]
   
  ThisWebServer.SSL = 1 ! Use SSL to make a Secure Web Server
  ThisWebServer.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 1
  ThisWebServer.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 1
  ThisWebServer.SSLCertificateOptions.CertificateFile = clip('web') & '\' & clip(lcl:CertPathName) & '.crt'
  ThisWebServer.SSLCertificateOptions.PrivateKeyFile =  clip('web') & '\' & clip(lcl:CertPathName) & '.key'
  ! [Priority 2000]
  ThisWebServer.SSLCertificateOptions.CARootFile = clip('web') & '\' & clip(lcl:CertPathName) & '.pem'
  ! [Priority 4000]
 
  ! Snap-shot GlobalRequest
  SELF.Request = GlobalRequest                             ! Store the incoming request
  ! [Priority 4950]
It looks like the DontVerifyRemoteCertificateWithCARoot = 1 setting would cause it to ignore the pem file

[BColladay]

Still not working.

I have tried this suggestion:

I think the order matters to some tools... try them in the file in this order:

(1) your certificate
(2) intermediate authority
(3) root authority

I even tried all possible orders.

I have tried it with the combined as a named.pem file a named.crt file as well and combinations of each.

I think I need assistance or guidance as to how NTWS would use the intermediate Cert

It looks like DontVerifyRemoteCertificateWithCARoot = 1 actually should work right, it will not attempt to verify the Root cert, which would go through the intermediate cert.  Is this correct.

[Bruce]

Hi Ben,

I'll try and work through the process, and write it up.

cheers
Bruce

[BColladay]

Thanks, I would appreciate that.  I've been 3 plus days going through iterations of merging files through various methods.   Will NTWS use a pem file in addition to crt and key files?  I guess that is my biggest question right now.

[Alberto]

And Bruce... If you have a min, may you please try to connect to the SSL server of my post, I think its related.
THanks
Alberto

[Bruce]

I responded to your post in the 3rd party newsgroup about that Alberto.

cheers
Bruce

[Alberto]

Yes Bruce, I read it but nothing works.
So, if you have a minute, maybe trying to connect you can solve the problem.
Thanks
Alberto

[Bruce]

Hi Alberto,

For completeness sake, what I posted there was;

--------------------------
First I tried connecting to the site via a basic FireFox browser.
This gave the expected "certificate not ok" type message, because the
certificate they are using is not authenticated by a
Certificate Authority recognised by the browser. However that was expected,
so I added an exception.

I then got an error;
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
(still in Firefox)

doing an SSLScan (sslscan --no-failed wsqacfe.interfacturas.com.ar:443)
returned a list of zero supported ciphers. (which is not good).

I then ran the NetDemo example, turning on the options to ignore the
certificate details for now.
However the netdemo app couldn't connect to the server citing;

"Error Message: The requested connection could not be opened. The Open
command timed out or failed to connect. The error number was -53 which means
Open Timeout or Failure error. - [SSL Error = 16]"

using the OpenSSl utility

openssl s_client -connect wsqacfe.interfacturas.com.ar:443

I get the same error as firefox (alert handshake failure)

So before I can even begin to test further I need to know what to do to
actually connect to the server. You can repeat the tests
mentioned above from your location to see what happens, if they fail I
recommend contacting the client with the test results and
asking for their recommendations.
---------------------


So to reiterate my conclusions -
You can repeat the tests
mentioned above from your location to see what happens, if they fail I
recommend contacting the client with the test results and
asking for their recommendations.

There's no connection to them from here, from any program, so there's nothing I can do.

[Alberto]

Thaks Bruce!
I dont know whats going on.
I try to install the certs in my notebook at home and cant access the site.
I really can access it from a desktop at work!
May be it has something to do with the key file.
This week they gave me a java client and I will try to use it using RUN(), not the best solution but if it works...
THanks again,
Alberto