<-- back to the mailing list

Molly Brown Certificate Zone Help

Lindsay newsspeak11 at gmail.com

Mon Feb 15 00:03:56 GMT 2021

- - - - - - - - - - - - - - - - - - - 

After some additional reading and trial and error, I think I've madeprogress, but still not successful.

I've now created a client key and a signed client certificate and addedthem both to Kristall's certificate manager. I've also managed to generatewhat I believe is a proper SHA256 has using this command on my clientcertificate: openssl dgst -sha256

I believe this is a proper hash as it matches the style and length of theexamples proved in the molly.conf file. I've also verified that thefingerprint of the key pair in Kristall matches the fingerprint of theclient certificate I used to generate the SHA256 hash.

The Certificate Zone area of the config file now looks something like this:

[CertificateZones]
"^/foo/" = [
"d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af"
]

Now that I have a certificate value that looks to be correct, I'm not surewhat else to try. Are there any verbose logs available that I can enable tosee what is being passed to Molly Brown or how the certificates are beingcompared?

On Sat, Feb 13, 2021 at 7:31 PM Lindsay <newsspeak11 at gmail.com> wrote:

Greetings all,
I am trying to set up a server using Molly Brown and am having trouble
implementing its "Certificate Zone" feature. If this isn't the correct
forum for this question, please let me know.
So far, I've set a directory require a certificate and successfully tested
it - I am free to access all areas on the site and receive a certificate
challenge to the one directory as configured.
The problem I'm having is understanding how to add a specific client
fingerprint to the "allowed" list in the config file. The Molly Brown
documentation specify an allowed value takes the format of "hex-encoded
SHA256 fingerprints of client certificates". I have what I think is a valid
fingerprint that I then converted into hex added to this section (which is
significantly longer than any of the examples provided), but the
corresponding certificate is rejected when provided.
I am certain this is user error. I have very little knowledge on how to
manage certificates and rely on google searches when generated the correct
ones for this server. Assuming the values provided in the example config
file are based on real, working values, my value is nearly 4 times as long.
Here's what I did:
1. Generate a new key with following command:
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out
cert.crt -keyout key.key
2. Changed extension on output keys to .pem as required by Kristall Browser
3. Imported ley and cer into Kristall
4. Converted the fingerprint of the cert into hexadecimal with the
following command:
echo -n "[Fingerprint went here]" | od -A n -t x1
5. Copied hexadecimal value into Molly Brown configuration file so the section looks like this:
[CertificateZones]
"^/foo/" = [
#
"d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af",
"aa1ee9e5a1572a4677e9f59e181b5c6a27527c7602bd441e7bf909f681db2eb36c32246c5193a270fcfbc509fef9349b03d6a299907580c90566c881752a01adcd9055fae1e53a308c56020462849b42ab777d67c9c5e3fd0427ec6d42a997",
]
6. Relaunch Molly Brown
Apologies if this is an elementary problem or the incorrect forum for such a question and appreciate any help that is provided.
Tanks!
-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210214/4562044e/attachment.htm>