Need to Specify a CA certificate file to trust when verifying a server SSL certificate

FlexMcMurphy · May 19, 2018, 11:11pm

Hello,

I am using a program called: Proxytunnel to establish secure communication from my Windows 7 client through a forward proxy server I created in an Apache Virtualhost on my home LAN. I use this to establish a tls encrypted connection to my ssh server on my LAN.

Proxytunnel has an option to specify a CA cert for server certificate verification. I hardly have any idea what this means. I have an Apache website on my LAN which is SSL enabled using Letsencrypt. I have these lines in the Virtualhost:

SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

So I used Certbot to create these certificates.

My Goal:
I want to run this Proxytunnel program from a Windows command line. Something like this:

proxytunnel -v -p example.com:443 -d 192.168.1.124:22

This will connect me through my forward proxy at example.com on port 443 and use the Apache CONNECT to forward to the ssh port 22.

My Question:
The Proxytunnel program has another command line argument -C that allows me to provide a CA cert for server certificate verification. I don't know how to supply this file. The Proxytunnel documentation says:

-C, --cacert=filename/directory
Specify a CA certificate file (or directory containing CA certificate(s)) to trust when verifying a server SSL certificate.
If a directory is provided, it must be prepared with OpenSSL’s c_rehash tool. (default: /etc/ssl/certs)

Can someone advise me how maybe I convert one or all of my Letsencrypt certificates and use it or them as a command line parameter to Proxytunnel program to achieve this client certification authentication?

Something like:

> proxytunnel -v -C myCAcert.pem -p example.com:443 -d 192.168.1.124:22

Thank you,

Flex

_az · May 19, 2018, 11:26pm

On Linux, it uses /etc/ssl/certs by default, so the argument can be omitted.

On Windows, I’m not sure if it falls back to anything. You could try including the DST Root and passing that to --cacert. I don’t think you should include your server’s Let’s Encrypt certificate, since it will change every 60-90 days.

proxytunnel -E -C root.pem ...

Root:

FlexMcMurphy · May 20, 2018, 12:12am

Hello _az,

Thank you so much for that clear and quick reply!

I copied the text of that Certificate to a file called root.pem which I just saved into the same directory as the Proxytunnel program and now my new Proxytunnel command is like this:

D:\Application Data\Proxytunnelv1.9.9-32bit>proxytunnel -v -E -C root.pem -p example.com:443 -d 192.168.1.124:22
SSL client to proxy enabled
Connected to example.com:443 (local proxy)
Set SNI hostname to example.com

Tunneling to 192.168.1.124:22 (destination)
Communication with local proxy:
 -> CONNECT 192.168.1.124:22 HTTP/1.1
 -> Host: example.com
 -> Proxy-Connection: Keep-Alive
 <- HTTP/1.0 200 Connection Established

 <- Proxy-agent: Apache

 <-
&a@▒&acom

Tunnel established.
SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3

… and it works perfectly.

Thank you !

Flex

_az · May 20, 2018, 1:52am

Great! I should add, that root may not be signing the Let’s Encrypt intermediates ~3-4 years from now, so it may not be a long-term solution.

system · June 19, 2018, 1:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Client certificate authentication	11	24164	December 9, 2018
[Solved] Why isn't my certificate trusted? Server	21	77996	February 9, 2017
Putting certificate files under apache2 Server	8	5203	March 20, 2018
Apache SSLCertificateChainFile SSLCACertificateFile question Help	7	5610	March 20, 2021
[Solved] Certificate Not Trusted Server	2	5990	March 4, 2016

Need to Specify a CA certificate file to trust when verifying a server SSL certificate

Related topics