# Help needed using GNUTLS for PKCS12 client certificates

## VinzC

Hi again.

I'm struggling with GNUTLS certtool to export a PK#CS12 client certificate for use in Firefox. _ALL_ my attempts yielded an infamous «The PK#CS12 operation failed for unknown reasons»...   :Evil or Very Mad: 

So far Igenerated a CA certificate authority key and certificate: it works

imported my self-signed CA certificate into Firefox: it works

generated a server certificate/key pair for my local web server, based on that CA: it works.

browsed my local web server with the new server certificate: it works (i.e. I get no SSL warning, as expected).

I then generated a client certificate/key pair (using the above the CA) for authenticating myself against my local web server. I could verify the certificate with and without the chain, all are valid.

```

Certificate[0]: C=BE,O=...,CN=myself,UID=...

   Issued by: C=BE,... (Root CA)

   Verifying against certificate[1].

   Verification output: Verified.

Certificate[1]: C=BE,O=...

   Issued by: C=BE,O=...

   Verification output: Verified.

Chain verification output: Verified.
```

Then I tried to [guess how to] generate a PKCS12 file from the above client certificate that I would import in Firefox; that fails with the above error right after I typed the password.

```
certtool --load-ca-certificate x509-ca.crt --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outder --outfile clients/x509-myself.p12
```

fails to be imported in Firefox.

```
certtool --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outder --outfile clients/x509-myself.p12
```

fails to be imported in Firefox.

```
certtool --load-ca-certificate x509-ca.crt --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outraw --outfile clients/x509-myself.p12
```

fails to be imported in Firefox.

```
certtool --load-certificate clients/x509-myself.crt --load-privkey clients/x509-myself.key --to-p12 --outraw --outfile clients/x509-myself.p12
```

fails to be imported in Firefox.

I'd be grateful for any hint or suggestion for I'm definitely stuck  :Sad:  .

UPDATE 2013-08-29: I actually could go further... with OpenSSL!

```
openssl pkcs12 -export -out clients/x509-myself.p12 -inkey clients/x509-myself.key -in clients/x509-myself.crt -name MySelf
```

for a client certificate alone or

```
openssl pkcs12 -export -out clients/x509-myself.p12 -inkey clients/x509-myself.key -in clients/x509-myself.crt -certfile x509-ca.crt -name MySelf
```

for a client certificate that also embeds the CA certificate (not sure this is the right way to go though, just a guess from what I read about client certificates and web browsers).

So it finally looks like certtool (2.12.23-r1) is inappropriate (with my current knowledge of it) for creating well-formed PKCS12 certificates for Firefox (22)...

Also note that in both cases, the PKCS12 certificate exported by OpenSSL «cannot be verified for unknown reasons», too as per Firefox...  :Rolling Eyes: 

UPDATE 2013-08-30: I've found why verifying my client certificates failed. The following keywords must be present in the template given to certtool:

```
signing_key

encryption_key
```

Re-created my certificate and exported it again with openssl and now client identification is working with my web server.

----------

## scriptkitty

I think I found part of the problem.  If you do 

```
 certtool --infile client-cert.pem -i
```

you see the lines named "Public Key Id" and "SHA-1 fingerprint".

If you extract the pkcs information from both the openssl and certtool-generated pkcs12 files with:

```
certtool --p12-info --inraw --infile=openssl-generated-client.p12
```

```
certtool --p12-info --inraw --infile=certtool-generated-client.p12
```

You will see that the openssl p12 file has the "SHA-1 fingerprint" as the Key Id, whereas the certtool p12 file has as Key ID the "Public Key Id".  I do not know how to fix this or if this is even a problem.

----------

## VinzC

Thanks for your lights, scriptkitty. Sounds interesting. Don't know if I can figure out what to do but thanks for the explanation and taking the time to investigate.

----------

