gsep dot daimler dot com requires to authenticate with a users client certificate
I don’t know, whether you have tested client certificates on any web site yet?
- Client certificate has been imported into login key chain an Mac OS. Unfortunately the delivered PKCS12 file misses the issuing CA, wich is a customer CA and no official root CA.
Certificate Data:
Version: 3 (0x2)
Serial Number: 9065421335634063981 (0x7dced8ac91b7326d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, O = Daimler AG, CN = Daimler-AG-ALM-GSEP
Validity
Not Before: Mar 4 21:12:24 2020 GMT
Not After : Mar 4 21:22:24 2022 GMT
Subject: C = DE, O = Daimler AG, CN = Daimler-AG-ALM-GSEP_23911 - Regardless of whether I leave the certificate untrusted by “System Default” or whether I trust it manually within key chain, I always get the same result. And I cannot import the issuer CA, because I simply don’t have it.
- Access gsep dot daimler dot com
- Choose the named client certificate
- ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED
Expected result:
- Client certificate is presented to the server and TLS handshake is finished successfully as in e. g. Firefox, Safari, but not Google Chrome, which gives the same error.
Brave Version: 1.22.67 Chromium: 89.0.4389.90 (Official Build) (x86_64)
Additional Information:
- Shields are down for this site (individually).
- I get no error messages in the developer tools console.
- I get no response back from the web site no headers or HTTP error codes.
- The server does have valid TLS server certificates issued by Quovadis Root CA.
- openssl s_client output:
openssl s_client -connect gsep.daimler.com:443 -cert Daimler-AG-ALM-GSEP_23911.pem -verify +2
verify depth is 2
CONNECTED(00000005)
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
verify return:1
depth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
verify return:1
depth=0 C = DE, ST = Baden-W\C3\BCrttemberg, L = Stuttgart, O = Daimler AG, CN = gsep.daimler.com
verify return:1
Certificate chain
0 s:C = DE, ST = Baden-W\C3\BCrttemberg, L = Stuttgart, O = Daimler AG, CN = gsep.daimler.com
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
2 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
Server certificate
-----BEGIN CERTIFICATE-----
MIIG/TCCBOWgAwIBAgIUZIf53c0VrDnjIdvXnYqmcjb91j8wDQYJKoZIhvcNAQEL
…
-----END CERTIFICATE-----
subject=C = DE, ST = Baden-W\C3\BCrttemberg, L = Stuttgart, O = Daimler AG, CN = gsep.daimler.com
issuer=C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
—
Acceptable client certificate CA names
C = DE, O = Daimler AG, CN = Daimler-AG-ALM-GSEP
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
—
SSL handshake has read 5508 bytes and written 1699 bytes
Verification: OK
—
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D208D422264D4807BAD0A2D68C95F38E1283A9827137EDA6BAA62D5B5E25409F
Session-ID-ctx:
Master-Key: 8745EE0829A64E4A45CD00D7C48EABB823F3DBCA4E407965EF6F55B8CD8C0BDA4F7D287A0D18B4D7AED0381F0094CF64
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1617017119
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
P.S. New user, may only put 4 links in a post, even though it was always the same…