0001218: client cert issued no longer exportable with private key (class3). IE10 certs usage broken

ID	Project	Category	View Status	Date Submitted	Last Update

0001218	Main CAcert Website	certificate issuing	public	2013-10-29 13:35	2014-05-20 20:58

Reporter	Uli60	Assigned To	NEOatNHNG
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	IE10.0.9200.16686	OS	win7
Product Version	2013 Q4
Target Version	2014 Q1	Fixed in Version	2014 Q1

Summary	0001218: client cert issued no longer exportable with private key (class3). IE10 certs usage broken
Description	I'v started Create (new) Client Cert under IE10 the cert has been signed and installed in the IE keystore the cert shows up in the My Personal certificates list (currently only one) If I try to start to make a backup copy I have a page that says O export with private key X export only public key where the "export with private key" option is greyed out The flag "mark private key exportable" seems to be set to False by default. Some sitenotes If I try to cert login with that Class3 cert I receive a page "This page cannot be displayed" - check that addr https://secure.cacert.org is correct - search the page through your search provider - refresh the page in a few minutes - check IE settings: Option - Internet Options - Advanced - Settings - Security that the TLS and SSL protocols are activated I have the Root + Class3 Subroot (valid until 2021) imported (separated to CA + Intermediate CA folders). I have activated cacert.org to the trusted sites. I've changed the customized security level as instructed in the create client cert process with a red warning page ... => modify custom level ... I've modified above IE settings option about TLS + SSL settings. restarting connect to https://secure.cacert.org/index.php?id=4 the use what client cert appears, I've selected the issued cert that is in the IE keystore, but the error message appears again and again whatever settings I modify, I no longer can connect secure.cacert.org via client cert login. Password login continues, but all what I get is a white page ?!? verifying the key shows "CAcert-Stammzertifikat_wixCert_1" in the displayname for the root (since a couple of days, I've previously not yet have seen, previously it was "Root CA" or "CAcert Root CA" .. despite the fact the key shows correct fingerprint The server cert shows the SAN's DNS-Name=www.cacert.org DNS-Name=secure.cacert.org <=== DNS-Name=wwwmail.cacert.org DNS-Name=cacert.org DNS-Name=www.cacert.net DNS-Name=cacert.net DNS-Name=www.cacert.com DNS-Name=cacert.com so the secure.cacert.org is also in the list the page https://wiki.cacert.org/SystemAdministration/CertificateList lists the server cert with expire date May 6 18:46:41 2014 GMT (no fingerprint here :-P ) the cert details list under the browser displays expire date May 6th ‎2014 19:46:41 (one 1 hour time difference is the local time vs. GMT time difference that is +1), to be precise I have to write May 6th ‎2014 19:46:41 GMT+0100 serial number of server cert in browsers detail page -> ‎0b b3 c6 sha1 fingerprint is: ‎21 64 c0 49 b0 01 b7 a8 4e 45 9b a6 f0 d7 ef 23 2c fc ad 58 Ok, the "CAcert-Stammzertifikat_wixCert_1" displayname seems to be the Windows Certs installer used displayname for the root key, as under "Details - Options" the displayname can be changed to whatever you want to see in your browser ... but this doesn't explain why I receive a site cannot be displayed in client cert login and a white page on account/password login
Additional Information	white page source text: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD> <BODY></BODY></HTML>
Tags	No tags attached.

Reviewed by	NEOatNHNG, BenBE
Test Instructions

BenBE 2013-10-29 22:49 updater ~0004420	Please explain the problem in two or three short and clear sentences.

Eva 2013-11-19 23:37 updater ~0004461	I created a client certificate with IE (highest) Then I installed it in the keystore (manually). Afterwards I could export it - including the private key - to my file system. I used windows 7 and IE 10.0.9200.16736 -> ok

NEOatNHNG 2013-11-20 14:41 administrator ~0004467	I have implemented a fix for the issue. And it should now also work on Windows XP. Please test & review.

Uli60 2013-11-26 23:15 updater ~0004477	win7 ultimate, IE11 (updated from IE10) root + class3 roots downloaded, imported to master/sub create client cert, page one (selection) still shows up selecting class3, and other options create cert error message -> I didn't receive a valid Certificate Request, please try a different browser

MartinGummi 2013-11-26 23:34 updater ~0004479 Last edited: 2013-11-26 23:35	Windows XP Version 5.1 (Build 2600.xpsp_sp3_qfe.130704-0421 : Service Pack 3) Internet Explorer 8 Version: 8.0.6001.18702 Cipher Strength: 128-bit Update Version: 0 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322) CA: Class 3 Client Cert gen workes => OK Client Cert download not works minor issue => OK Client Cert base64 to notepad to file.crt workes => OK Public Cert import to certificate store workes => OK Export private key to pfx workes => OK => OK

Uli60 2013-11-26 23:40 updater ~0004480	winXp ie8 short red text page, shortly replaced by Security level option box [high] button: create cert -> clicked msg: generating your key, please wait (long delay) but next page with "Install your cert" .. into browser download pem download der and ascii text of pub cert displays install into browser results in white page doesn't work re-login client cert - create cert download pem error: account.php von cacert1.. kann nicht heruntergeladen werden internetseite konnte nicht geoeffnet werden. sie ist entweder nicht verfuegbar oder konnte nicht gefunden werden copy&paste ascii cert, serno 4E95 to file import from file to "own certs" container after import, cert shows serno 4e 95 cert details copy to file - next page now shows "yes, export private key" AND "no, don't export priv key" select "yes, export" format: syntax standard pkcs#7 / p7b impossible, greyed out priv exchange pkcs#12 pfx is available + include all certs in path + extended security enable ie5, nt4sp4 and higher enter pwd export did work. FF import client cert cert-pub-testsrvr-c3-004E95.pfx requests pwd (twice) display keys -> displays 4e95 name, email, issuer, all ok

NEOatNHNG 2014-02-05 16:00 administrator ~0004566	Mail sent to critical admins.

wytze 2014-02-06 15:58 developer ~0004568	The fix has been installed on the production server on February 6, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-02/msg00001.html

Date Modified	Username	Field	Change
2013-10-29 13:35	Uli60	New Issue
2013-10-29 21:41	MartinGummi	Description Updated
2013-10-29 22:49	BenBE	Note Added: 0004420
2013-10-29 22:49	BenBE	Status	new => needs feedback
2013-11-19 16:31	NEOatNHNG	Assigned To	=> NEOatNHNG
2013-11-19 16:31	NEOatNHNG	Status	needs feedback => needs work
2013-11-19 22:25	NEOatNHNG	Source_changeset_attached	=> cacert-devel testserver-stable 17b33626
2013-11-19 22:25	NEOatNHNG	Source_changeset_attached	=> cacert-devel testserver-stable 76379293
2013-11-19 23:37	Eva	Note Added: 0004461
2013-11-20 11:25	NEOatNHNG	Source_changeset_attached	=> cacert-devel testserver-stable 3c850be8
2013-11-20 11:25	NEOatNHNG	Source_changeset_attached	=> cacert-devel testserver-stable 036f7b67
2013-11-20 14:41	NEOatNHNG	Reviewed by	=> NEOatNHNG
2013-11-20 14:41	NEOatNHNG	Note Added: 0004467
2013-11-20 14:41	NEOatNHNG	Status	needs work => needs review & testing
2013-11-26 23:15	Uli60	Note Added: 0004477
2013-11-26 23:34	MartinGummi	Note Added: 0004479
2013-11-26 23:35	MartinGummi	Note Edited: 0004479
2013-11-26 23:40	Uli60	Note Added: 0004480
2014-01-07 23:25	BenBE	Reviewed by	NEOatNHNG => NEOatNHNG, BenBE
2014-01-07 23:25	BenBE	Status	needs review & testing => needs testing
2014-01-07 23:25	BenBE	Product Version	=> 2013 Q4
2014-01-07 23:25	BenBE	Target Version	=> 2014 Q1
2014-01-21 21:46	BenBE	Status	needs testing => ready to deploy
2014-02-05 16:00	NEOatNHNG	Note Added: 0004566
2014-02-05 16:15	NEOatNHNG	Source_changeset_attached	=> cacert-devel release a14c8f60
2014-02-06 15:58	wytze	Note Added: 0004568
2014-02-06 15:58	wytze	Status	ready to deploy => solved?
2014-02-06 15:58	wytze	Fixed in Version	=> 2014 Q1
2014-02-06 15:58	wytze	Resolution	open => fixed
2014-05-20 20:58	INOPIAE	Status	solved? => closed

View Issue Details

Activities

Issue History