View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001218||Main CAcert Website||certificate issuing||public||2013-10-29 13:35||2014-05-20 20:58|
|Product Version||2013 Q4|
|Target Version||2014 Q1||Fixed in Version||2014 Q1|
|Summary||0001218: client cert issued no longer exportable with private key (class3). IE10 certs usage broken|
|Description||I'v started Create (new) Client Cert under IE10|
the cert has been signed and installed in the IE keystore
the cert shows up in the My Personal certificates list
(currently only one)
If I try to start to make a backup copy I have a page
O export with private key
X export only public key
where the "export with private key" option is greyed out
The flag "mark private key exportable" seems to be set to False by default.
If I try to cert login with that Class3 cert I receive a page
"This page cannot be displayed"
- check that addr https://secure.cacert.org is correct
- search the page through your search provider
- refresh the page in a few minutes
- check IE settings: Option - Internet Options - Advanced - Settings - Security that the TLS and SSL protocols are activated
I have the Root + Class3 Subroot (valid until 2021) imported (separated to CA + Intermediate CA folders). I have activated cacert.org to the trusted sites.
I've changed the customized security level as instructed in the create client cert process with a red warning page ... => modify custom level ...
I've modified above IE settings option about TLS + SSL settings.
restarting connect to https://secure.cacert.org/index.php?id=4
the use what client cert appears, I've selected the issued cert that is in the IE keystore, but the error message appears again and again
whatever settings I modify, I no longer can connect secure.cacert.org
via client cert login.
Password login continues, but all what I get is a white page ?!?
verifying the key shows
"CAcert-Stammzertifikat_wixCert_1" in the displayname for the root (since a couple of days, I've previously not yet have seen, previously it was "Root CA"
or "CAcert Root CA" .. despite the fact the key shows correct fingerprint
The server cert shows the SAN's
so the secure.cacert.org is also in the list
the page https://wiki.cacert.org/SystemAdministration/CertificateList
lists the server cert with expire date May 6 18:46:41 2014 GMT (no fingerprint here :-P )
the cert details list under the browser displays expire date
May 6th 2014 19:46:41 (one 1 hour time difference is the local time vs. GMT time difference that is +1), to be precise I have to write May 6th 2014 19:46:41 GMT+0100
serial number of server cert in browsers detail page -> 0b b3 c6
sha1 fingerprint is: 21 64 c0 49 b0 01 b7 a8 4e 45 9b a6 f0 d7 ef 23 2c fc ad 58
Ok, the "CAcert-Stammzertifikat_wixCert_1" displayname seems to be the Windows Certs installer used displayname for the root key, as under "Details - Options" the displayname can be changed to whatever you want to see in your browser ...
but this doesn't explain why I receive a site cannot be displayed in client cert login and a white page on account/password login
|Additional Information||white page source text:|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD>
|Tags||No tags attached.|
|Reviewed by||NEOatNHNG, BenBE|
||Please explain the problem in two or three short and clear sentences.|
I created a client certificate with IE (highest)
Then I installed it in the keystore (manually).
Afterwards I could export it - including the private key - to my file system.
I used windows 7 and IE 10.0.9200.16736
||I have implemented a fix for the issue. And it should now also work on Windows XP. Please test & review.|
win7 ultimate, IE11 (updated from IE10)
root + class3 roots downloaded, imported to master/sub
create client cert, page one (selection) still shows up
selecting class3, and other options
error message -> I didn't receive a valid Certificate Request, please try a different browser
Version 5.1 (Build 2600.xpsp_sp3_qfe.130704-0421 : Service Pack 3)
Internet Explorer 8
Cipher Strength: 128-bit
Update Version: 0
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)
CA: Class 3
Client Cert gen workes => OK Client Cert download not works minor issue => OK Client Cert base64 to notepad to file.crt workes => OK Public Cert import to certificate store workes => OK Export private key to pfx workes => OK => OK
short red text page, shortly replaced by
Security level option box [high]
button: create cert -> clicked
msg: generating your key, please wait
but next page with
"Install your cert"
.. into browser
and ascii text of pub cert
install into browser
results in white page
client cert - create cert
error: account.php von cacert1.. kann nicht
internetseite konnte nicht geoeffnet werden.
sie ist entweder nicht verfuegbar
oder konnte nicht gefunden werden
copy&paste ascii cert, serno 4E95
import from file to "own certs" container
after import, cert shows serno 4e 95
copy to file - next
page now shows
"yes, export private key" AND "no, don't export priv key"
select "yes, export"
syntax standard pkcs#7 / p7b impossible, greyed out
priv exchange pkcs#12 pfx is available
+ include all certs in path
+ extended security enable ie5, nt4sp4 and higher
export did work.
FF import client cert
requests pwd (twice)
display keys -> displays 4e95
name, email, issuer, all ok
||Mail sent to critical admins.|
||The fix has been installed on the production server on February 6, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-02/msg00001.html|
|2013-10-29 13:35||Uli60||New Issue|
|2013-10-29 21:41||MartinGummi||Description Updated||View Revisions|
|2013-10-29 22:49||BenBE||Note Added: 0004420|
|2013-10-29 22:49||BenBE||Status||new => needs feedback|
|2013-11-19 16:31||NEOatNHNG||Assigned To||=> NEOatNHNG|
|2013-11-19 16:31||NEOatNHNG||Status||needs feedback => needs work|
|2013-11-19 22:25||NEOatNHNG||Source_changeset_attached||=> cacert-devel testserver-stable 17b33626|
|2013-11-19 22:25||NEOatNHNG||Source_changeset_attached||=> cacert-devel testserver-stable 76379293|
|2013-11-19 23:37||Eva||Note Added: 0004461|
|2013-11-20 11:25||NEOatNHNG||Source_changeset_attached||=> cacert-devel testserver-stable 3c850be8|
|2013-11-20 11:25||NEOatNHNG||Source_changeset_attached||=> cacert-devel testserver-stable 036f7b67|
|2013-11-20 14:41||NEOatNHNG||Reviewed by||=> NEOatNHNG|
|2013-11-20 14:41||NEOatNHNG||Note Added: 0004467|
|2013-11-20 14:41||NEOatNHNG||Status||needs work => needs review & testing|
|2013-11-26 23:15||Uli60||Note Added: 0004477|
|2013-11-26 23:34||MartinGummi||Note Added: 0004479|
|2013-11-26 23:35||MartinGummi||Note Edited: 0004479||View Revisions|
|2013-11-26 23:40||Uli60||Note Added: 0004480|
|2014-01-07 23:25||BenBE||Reviewed by||NEOatNHNG => NEOatNHNG, BenBE|
|2014-01-07 23:25||BenBE||Status||needs review & testing => needs testing|
|2014-01-07 23:25||BenBE||Product Version||=> 2013 Q4|
|2014-01-07 23:25||BenBE||Target Version||=> 2014 Q1|
|2014-01-21 21:46||BenBE||Status||needs testing => ready to deploy|
|2014-02-05 16:00||NEOatNHNG||Note Added: 0004566|
|2014-02-05 16:15||NEOatNHNG||Source_changeset_attached||=> cacert-devel release a14c8f60|
|2014-02-06 15:58||wytze||Note Added: 0004568|
|2014-02-06 15:58||wytze||Status||ready to deploy => solved?|
|2014-02-06 15:58||wytze||Fixed in Version||=> 2014 Q1|
|2014-02-06 15:58||wytze||Resolution||open => fixed|
|2014-05-20 20:58||INOPIAE||Status||solved? => closed|