Client certificate login with thin is not forwarding CA to browser => annoying dialog which certificate to use pops up.
Dr. Marc Arnold Bach
I am running a small sinatra application which re-uses a company-wide client certificate every employee has already installed (signed by an internal SSO_CA). My Sinatra/Thin combination is using the server certificate signed by an internal company CA but is expecting the client certificate signed by leading SSO_CA in the trutchain..
Technically this worked fine until we got a second self-signed client certificate on our PCs. The browser is unsure which certificate to use and most users do not read and use the new certificate, which ends in a 403 error.
In addition, browsers remember the decision and you have to explain to many people how to reset the SSL state.
=> Sinatra / Thin/ Eventmachine are not providing an option like :SSLCACertificateFiles '/usr/sinatra/certs/SSO_CA.crt' to tell the browser "please show up with client certificate from SSO_CA"
Webrick has it but this is not the right choice for "production". Moving to Nginx feels strange as I cannot be the first having this issue in Thin. I remember there was somewhere in a forum (cannot find it again) someone telling me that the feature is missing but I found this before I had an understanding that this is going to be my problem as well.
Has anybody an idea how to force Thin/Eventmachine to forward a specific CA suggestion for client certificate? It is not :SSLCACertificateFiles, I tried it already.
:cert_chain_file => File.dirname(__FILE__) + "/keys/comp_key/s3l.cer",
:private_key_file => File.dirname(__FILE__) + "/keys/comp_key/s3l.key",
:verify_peer => true,
:SSLVerifyClient => true
r007
- You need to combine the ssl_certificate.crt file and the IntermediateCA.crt into a single concatenated file
- To get a single concatenated file out of the Intermediate CA and the SSL Certificate run the following command:
cat IntermediateCA.crt >> ssl_certificate.crt