Client Authentication - Configuring Service Definition - stunnel-users

10 Dec 2013


      Hello Everyone,
I’m attempting to consume a web service that requires I authenticate the client using certificates. I was given a (.pfx) certificate locked with a password by the 3rd party vendor. I know I need to convert the current certificate I have into a (.pem) certificate, which I’ll use the openssl tools to accomplish this.
I’m a bit new to SSL and network security, thus I’m not entirely sure if I should only be creating a client certificate from the original (.pfx) file or if a server certificate will also need to get created.
I used the command: “pkcs12 –in certificate.pfx –out certificate.pem –nodes (–clcerts/-cacerts)” to create my pem certificate.
Here is my current configuration:
[SSLconnection]
debug = 7
CAfile = certificate.pem
client = yes
verify = 2
accept = 127.0.0.1:9001
connect = web.service.com:443
And the log: (I obscured some information identity
information)
2013.12.10 09:36:41 LOG5[9776:8488]: stunnel 4.56 on
x86-pc-msvc-1500 platform
2013.12.10 09:36:41 LOG5[9776:8488]: Compiled/running
with OpenSSL 1.0.1e-fips 11 Feb 2013
2013.12.10 09:36:41 LOG5[9776:8488]: Threading:WIN32
Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
2013.12.10 09:36:41 LOG5[9776:8488]: Reading
configuration from file stunnel.conf
2013.12.10 09:36:41 LOG5[9776:8488]: FIPS mode is enabled
2013.12.10 09:36:41 LOG5[9776:8488]: Configuration
successful
2013.12.10 09:36:44 LOG5[9776:9024]: Service [SSLconnection]
accepted connection from 127.0.0.1:60659
2013.12.10 09:36:44 LOG5[9776:9024]: connect_blocking:
connected web.service.com:443
2013.12.10 09:36:44 LOG5[9776:9024]: Service [SSLconnection]
connected remote server from 192.168.50.211:60660
2013.12.10 09:36:44 LOG5[9776:9024]: Certificate
accepted: depth=1, /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated
by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
2013.12.10 09:36:44 LOG5[9776:9024]: Certificate
accepted: depth=1, /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated
by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
2013.12.10 09:36:44 LOG4[9776:9024]: CERT: Certificate
not found in local repository
2013.12.10 09:36:44 LOG4[9776:9024]: Certificate check
failed: depth=0, /C=US/ST=Texas/L=Austin/O=OName/CN=web.service.com
2013.12.10 09:36:44 LOG3[9776:9024]: SSL_connect:
14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
2013.12.10 09:36:44 LOG5[9776:9024]: Connection reset: 0
byte(s) sent to SSL, 0 byte(s) sent to socket
Looks like my problem is stemming from "Certificate
not found in local repository"?
Thank you in advance for any assistance,
Jake