Reputation: 6809
How to set git client certificate for client authentication?
I have my own git repository running under jetty-9. I want to know how can i set the git client certificate so my git server (jetty server) would be able to receive the certificate in servlet request and be able to get the git client certificate ad in order to do client authentication.
Following command i am trying to run,
git -c http.sslcainfo=D:\jetty\punws-sohanba.sigmasys.net.crt \
-c http.sslCert=D:\jetty\curl-ca-bundle.crt \
clone "https://punws-sohanba.sigmasys.net:8443/git.ctr-0.0.1-SNAPSHOT/dashboard-portal/.git"
Where "punws-sohanba.sigmasys.net.crt" is my server cert in order to git-client should accept the self signed certs.
curl-ca-bundle.crt is the git cert set in global config of git and also i am explicitly trying to set it via command line as well. (i am not sure i am doing it this right way). This curl-ca-bundle.crt file is also imported to my server.jks file as truststore.
On server i am not able to get the certificates when i do:
X509Certificate[] certs = (X509Certificate[])req.getAttribute(
"javax.servlet.request.X509Certificate");
System.out.println(
"cert name from git client =========>> " + certs[0].getSubjectDN().getName()
); //returns null-pointer here
I gives following error on commandline :
fatal: unable to access 'https://punws-sohanba.sigmasys.net:8443/git.ctr-0.0.1-SNAPSHOT/dashboard-portal/.git/': unable to set private key file: 'D:\jetty\curl-ca-bundle.crt' type PEM
Please suggest.
Upvotes: 1
Views: 7219
Answers (1)
Reputation: 195
It's quite difficult to read unbroken lines in this way, and it's not very clear how you are trying to achieve authentication with a CA bundle as a private key (which won't work - CA's a certificates, don't have a private component), can you clarify how many certificates and private keys you have got?
You'll need to read some materials on how TLS authentication is working.
In case you just need some rough direction, for a peer (client or server) to be authenticated, it needs a public key within a certificate, and a private key, and for the other side to trust it, the other side will need the issuer CA (or the self signed cert) as a trusted one.
The usual configuration is then a certificate PLUS the private key for the certificate for the server, and a CA bundle, or at least the single issuer CA configured on the CLIENT as a trusted curtificate.
With client authentication, in addition to that, you'll need a similar configuration on the client side: a certificate for the client PLUS the private key for it, and a configuration on the server (or at least the single issuer certificate on the SERVER as a trusted certificate).
It won't work if you have only a single self-signed certificate, you'll need one (self-signed, or CA issued) for the server and the client as well.
You can't just copy the certificate part from the server to authenticate the client. This part is sufficient for the client to trust the server, but without a private key, it cannot be used for cryptographic authentication.
The above command line is just showing you try to use a list of public certificates (the CA bundle) as a private key - have you got an actual certificate with a private key?
Upvotes: 3
Related Questions
- How to configure GIT HTTPS client certificate authentication in Eclipse using EGit?
- How can I make git accept a self signed certificate?
- Use a client certificate with git credential manager
- How to configure jetty to request client certificate for specified resources?
- How to add custom certificate to git client? (Ubuntu)
- configure SSL cert for git svn
- How to create certificate for gitblit server?
- OS X: Git with client certificates rejected
- Gitblit certificate import
- Saving client certificate passphrase for Git over HTTPS?