2

I have my own git repository running under jetty-9. I want to know how can i set the git client certificate so my git server (jetty server) would be able to receive the certificate in servlet request and be able to get the git client certificate ad in order to do client authentication.

Following command i am trying to run,

git -c http.sslcainfo=D:\jetty\punws-sohanba.sigmasys.net.crt \
    -c http.sslCert=D:\jetty\curl-ca-bundle.crt \
    clone "https://punws-sohanba.sigmasys.net:8443/git.ctr-0.0.1-SNAPSHOT/dashboard-portal/.git"

Where "punws-sohanba.sigmasys.net.crt" is my server cert in order to git-client should accept the self signed certs.

curl-ca-bundle.crt is the git cert set in global config of git and also i am explicitly trying to set it via command line as well. (i am not sure i am doing it this right way). This curl-ca-bundle.crt file is also imported to my server.jks file as truststore.

On server i am not able to get the certificates when i do:

X509Certificate[] certs = (X509Certificate[])req.getAttribute(
    "javax.servlet.request.X509Certificate");
System.out.println(
    "cert name from git client =========>> " + certs[0].getSubjectDN().getName()
); //returns null-pointer here

I gives following error on commandline :

fatal: unable to access 'https://punws-sohanba.sigmasys.net:8443/git.ctr-0.0.1-SNAPSHOT/dashboard-portal/.git/': unable to set private key file: 'D:\jetty\curl-ca-bundle.crt' type PEM

Please suggest.

Improve this question
2
  • What if you completely omit the -c http.sslCert=D:\jetty\curl-ca-bundle.crt bit? From the output of git help config, it appears that the http.sslCert is for setting certs your Git client should use for itself, and not to verify its peers. Commented Dec 29, 2015 at 15:46
  • If i omit http.sslCert , it throws fatal: unable to access https://punws-sohanba.sigmasys.net:8443/git.ctr-0.0.1-SNAPSHOT/dashboard-portal/.git/': Unknown SSL protocol error in connection to punws-sohanba.sigmasys.net:8443 error Commented Dec 30, 2015 at 6:02

1 Answer 1

Reset to default
3

It's quite difficult to read unbroken lines in this way, and it's not very clear how you are trying to achieve authentication with a CA bundle as a private key (which won't work - CA's a certificates, don't have a private component), can you clarify how many certificates and private keys you have got?

You'll need to read some materials on how TLS authentication is working.

In case you just need some rough direction, for a peer (client or server) to be authenticated, it needs a public key within a certificate, and a private key, and for the other side to trust it, the other side will need the issuer CA (or the self signed cert) as a trusted one.

The usual configuration is then a certificate PLUS the private key for the certificate for the server, and a CA bundle, or at least the single issuer CA configured on the CLIENT as a trusted curtificate.

With client authentication, in addition to that, you'll need a similar configuration on the client side: a certificate for the client PLUS the private key for it, and a configuration on the server (or at least the single issuer certificate on the SERVER as a trusted certificate).

It won't work if you have only a single self-signed certificate, you'll need one (self-signed, or CA issued) for the server and the client as well.

You can't just copy the certificate part from the server to authenticate the client. This part is sufficient for the client to trust the server, but without a private key, it cannot be used for cryptographic authentication.

The above command line is just showing you try to use a list of public certificates (the CA bundle) as a private key - have you got an actual certificate with a private key?

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It often get confused on SSL certs. I have referred few links and generated certificates. I am not sure they are right one. It will be great if you provide few steps to generate certs in proper way and i can use on server and client side .
I resolved this issue by properly exporting the keystore to .p12 and then creating the .crt file using openssl pkcs12 -in keystore.p12 -out client1.crt . Now my final command looks like this , git -c http.sslcainfo=D:\jetty\punws-sohanba.sigmasys.net.crt -c http.sslCert=D:\jetty\client1.crt -c http.sslCertPasswordProtected clone "https://punws-sohanba.sigmasys.net:8443/git.ctr-0.0.1-SNAPSHOT/dashboard-portal/.git"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.