Client Certificate Authentication with Self-signed Certificates
Fig 1. Just an example of how partners will configure our services.
We've been arguing about if this options can be used with self-signed certificates (OPTION 1) or if we can ONLY use certificates issue by a
Certification Authority (CA) as part of a public-key infrastructure (PKI) or a Trust Center Service (like VeriSign) (OPTION 2) .
The following SAP documentations explain that this can be done with OPTION 2
There are some SAP consultants that said that this can be done with self-signed certificates. But none of them have explained how can this be achieved. We run the authentication with TrustedCAs Certs and run OK!. With Selfsigned Cert doesn't run.. (see both logs on following picture.)
I need a official stand from SAP about Self signed cert and Certificate authentication. Or I need a way to configured this scenario with Selfsigned certs. Any comments will be appreciated.
Andrew Purgert replied
Great news, I have a partner that runs exactly this way! There are a few more things to check.
1. Is the certificate a wildcard (eg "*.abc123.com")? I have never been able to get a wildcard to work for client authentication.
2. Is the self-signed certificate actually able to be used for client authentication? It needs to be explicitly defined if you built it in OpenSSL for example.
To check, you can open it in Windows and it should say "Proves your identity to a remote computer." If it doesn't say that you can also see if Enhanced Key Usage on the Details tab contains "Client Authentication (188.8.131.52.184.108.40.206.2)". Note: "All issuance policies" or "All application policies" does not necessarily mean that it has client authentication.
I have seen certificates that do not contain that information because of how it was designed. This command should be able to tell you for sure.
openssl x509 -in <certificate to check> -purpose -noout -text. I grabbed it from openssl - how to read the keyusage of a X509 V3 certificate? - Stack Overflow
3. Finally, the certificate could be corrupt. If you're testing internal, you can build a new certificate. These are the commands that I wrote for the partner to create a self-signed certificate that they use for client authentication. You may need to retype the commands, sometimes copy/paste messes up the dashes
Create the cert:
openssl req -x509 -newkey rsa:2048 -keyout <certkey>.pem -out <certname>.pem -days 730
Add client authentication:
openssl x509 -in <certname>.pem -addtrust clientAuth
Export the private key (keep this safe!):
openssl pkcs12 -export -out <certificate1>.pfx -inkey <certkey>.pem -in <certname>.pem
Get the public key:
openssl pkcs12 -in <certificate1>.pfx -clcerts -nokeys -out <public_cert>.pem
Let me know how that goes for you.