View Issue Details

IDProjectCategoryView StatusLast Update
0001218Main CAcert Websitecertificate issuingpublic2014-05-20 20:58
ReporterUli60 Assigned ToNEOatNHNG  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformIE10.0.9200.16686OSwin7 
Product Version2013 Q4 
Target Version2014 Q1Fixed in Version2014 Q1 
Summary0001218: client cert issued no longer exportable with private key (class3). IE10 certs usage broken
DescriptionI'v started Create (new) Client Cert under IE10
the cert has been signed and installed in the IE keystore
the cert shows up in the My Personal certificates list
(currently only one)
If I try to start to make a backup copy I have a page
that says
O export with private key
X export only public key
where the "export with private key" option is greyed out
The flag "mark private key exportable" seems to be set to False by default.

Some sitenotes
If I try to cert login with that Class3 cert I receive a page
"This page cannot be displayed"
- check that addr https://secure.cacert.org is correct
- search the page through your search provider
- refresh the page in a few minutes
- check IE settings: Option - Internet Options - Advanced - Settings - Security that the TLS and SSL protocols are activated

I have the Root + Class3 Subroot (valid until 2021) imported (separated to CA + Intermediate CA folders). I have activated cacert.org to the trusted sites.
I've changed the customized security level as instructed in the create client cert process with a red warning page ... => modify custom level ...
I've modified above IE settings option about TLS + SSL settings.

restarting connect to https://secure.cacert.org/index.php?id=4
the use what client cert appears, I've selected the issued cert that is in the IE keystore, but the error message appears again and again
whatever settings I modify, I no longer can connect secure.cacert.org
via client cert login.

Password login continues, but all what I get is a white page ?!?
verifying the key shows
"CAcert-Stammzertifikat_wixCert_1" in the displayname for the root (since a couple of days, I've previously not yet have seen, previously it was "Root CA"
or "CAcert Root CA" .. despite the fact the key shows correct fingerprint
The server cert shows the SAN's
DNS-Name=www.cacert.org
DNS-Name=secure.cacert.org <===
DNS-Name=wwwmail.cacert.org
DNS-Name=cacert.org
DNS-Name=www.cacert.net
DNS-Name=cacert.net
DNS-Name=www.cacert.com
DNS-Name=cacert.com

so the secure.cacert.org is also in the list
the page https://wiki.cacert.org/SystemAdministration/CertificateList
lists the server cert with expire date May 6 18:46:41 2014 GMT (no fingerprint here :-P )
the cert details list under the browser displays expire date
May 6th ‎2014 19:46:41 (one 1 hour time difference is the local time vs. GMT time difference that is +1), to be precise I have to write May 6th ‎2014 19:46:41 GMT+0100
serial number of server cert in browsers detail page -> ‎0b b3 c6
sha1 fingerprint is: ‎21 64 c0 49 b0 01 b7 a8 4e 45 9b a6 f0 d7 ef 23 2c fc ad 58

Ok, the "CAcert-Stammzertifikat_wixCert_1" displayname seems to be the Windows Certs installer used displayname for the root key, as under "Details - Options" the displayname can be changed to whatever you want to see in your browser ...

but this doesn't explain why I receive a site cannot be displayed in client cert login and a white page on account/password login
Additional Informationwhite page source text:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD>
<BODY></BODY></HTML>
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Activities

BenBE

2013-10-29 22:49

updater   ~0004420

Please explain the problem in two or three short and clear sentences.

Eva

2013-11-19 23:37

updater   ~0004461

I created a client certificate with IE (highest)

Then I installed it in the keystore (manually).

Afterwards I could export it - including the private key - to my file system.

I used windows 7 and IE 10.0.9200.16736

-> ok

NEOatNHNG

2013-11-20 14:41

administrator   ~0004467

I have implemented a fix for the issue. And it should now also work on Windows XP. Please test & review.

Uli60

2013-11-26 23:15

updater   ~0004477

win7 ultimate, IE11 (updated from IE10)
root + class3 roots downloaded, imported to master/sub

create client cert, page one (selection) still shows up
selecting class3, and other options
create cert
error message -> I didn't receive a valid Certificate Request, please try a different browser

MartinGummi

2013-11-26 23:34

updater   ~0004479

Last edited: 2013-11-26 23:35

View 2 revisions

Windows XP
Version 5.1 (Build 2600.xpsp_sp3_qfe.130704-0421 : Service Pack 3)

Internet Explorer 8
Version: 8.0.6001.18702
Cipher Strength: 128-bit
Update Version: 0

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)

CA: Class 3

Client Cert gen                              workes    => OK
Client Cert download     not works      minor issue    => OK
Client Cert base64 to notepad to file.crt    workes    => OK
Public Cert import to certificate store      workes    => OK
Export private key to pfx                    workes    => OK

=> OK


Uli60

2013-11-26 23:40

updater   ~0004480

winXp ie8

short red text page, shortly replaced by
Security level option box [high]
button: create cert -> clicked
msg: generating your key, please wait

(long delay)
but next page with
"Install your cert"
.. into browser
download pem
download der

and ascii text of pub cert
displays

install into browser
results in white page

doesn't work


re-login
client cert - create cert

download pem
error: account.php von cacert1.. kann nicht
  heruntergeladen werden
  internetseite konnte nicht geoeffnet werden.
  sie ist entweder nicht verfuegbar
  oder konnte nicht gefunden werden

copy&paste ascii cert, serno 4E95
to file
import from file to "own certs" container
after import, cert shows serno 4e 95
cert details
copy to file - next
page now shows
"yes, export private key" AND "no, don't export priv key"

select "yes, export"
format:
  syntax standard pkcs#7 / p7b impossible, greyed out
priv exchange pkcs#12 pfx is available
  + include all certs in path
  + extended security enable ie5, nt4sp4 and higher
enter pwd
export did work.

FF import client cert
cert-pub-testsrvr-c3-004E95.pfx
requests pwd (twice)
display keys -> displays 4e95
name, email, issuer, all ok

NEOatNHNG

2014-02-05 16:00

administrator   ~0004566

Mail sent to critical admins.

wytze

2014-02-06 15:58

developer   ~0004568

The fix has been installed on the production server on February 6, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-02/msg00001.html

Issue History

Date Modified Username Field Change
2013-10-29 13:35 Uli60 New Issue
2013-10-29 21:41 MartinGummi Description Updated View Revisions
2013-10-29 22:49 BenBE Note Added: 0004420
2013-10-29 22:49 BenBE Status new => needs feedback
2013-11-19 16:31 NEOatNHNG Assigned To => NEOatNHNG
2013-11-19 16:31 NEOatNHNG Status needs feedback => needs work
2013-11-19 22:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 17b33626
2013-11-19 22:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 76379293
2013-11-19 23:37 Eva Note Added: 0004461
2013-11-20 11:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 3c850be8
2013-11-20 11:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 036f7b67
2013-11-20 14:41 NEOatNHNG Reviewed by => NEOatNHNG
2013-11-20 14:41 NEOatNHNG Note Added: 0004467
2013-11-20 14:41 NEOatNHNG Status needs work => needs review & testing
2013-11-26 23:15 Uli60 Note Added: 0004477
2013-11-26 23:34 MartinGummi Note Added: 0004479
2013-11-26 23:35 MartinGummi Note Edited: 0004479 View Revisions
2013-11-26 23:40 Uli60 Note Added: 0004480
2014-01-07 23:25 BenBE Reviewed by NEOatNHNG => NEOatNHNG, BenBE
2014-01-07 23:25 BenBE Status needs review & testing => needs testing
2014-01-07 23:25 BenBE Product Version => 2013 Q4
2014-01-07 23:25 BenBE Target Version => 2014 Q1
2014-01-21 21:46 BenBE Status needs testing => ready to deploy
2014-02-05 16:00 NEOatNHNG Note Added: 0004566
2014-02-05 16:15 NEOatNHNG Source_changeset_attached => cacert-devel release a14c8f60
2014-02-06 15:58 wytze Note Added: 0004568
2014-02-06 15:58 wytze Status ready to deploy => solved?
2014-02-06 15:58 wytze Fixed in Version => 2014 Q1
2014-02-06 15:58 wytze Resolution open => fixed
2014-05-20 20:58 INOPIAE Status solved? => closed