kaihendry
commented
9 years ago Could you please provide a P12 to test on a respective test site that uses it?
Open Apachez- opened 9 years ago
kaihendry
commented
9 years ago Could you please provide a P12 to test on a respective test site that uses it?
Today one can manually import a p12 by adding it to the iso (through ISO Master or whatever tool one might prefer) and with the "noclean" in the boot-string the client cert (or whatever the p12 contains) will stick between restarts of the firefox app (you also need to add "chrome=debug" to the boot-string in order to reach the settings menu of firefox).
However this need a couple of mousepoints and clicks after each reboot ( click =, click settings, click advanced, click certificates, click show certificates, click your certificates, click import, click file system, click lib, click live, click mount, click medium, click p12, click on the p12-file, click open, type in your password and click ok, click ok that the cert was successfully installed, click ok, click close, now you are back to firefox :-), so it would be nice if this could be automated in such way (as an example):
1) The ISO-admin modifies the ISO and include the p12 within its own directory in the root like /p12/.p12
2) If webc discovers such directory (/lib/live/mount/medium/p12) with p12-files it will then (during boot) fire up pk12util (or whatever is needed to import the p12 from the cli) so the content of the p12-files is imported into the keystore of firefox.
According to some docs something like this would be the syntax:
pk12util -d /home/webc/.mozilla/.profile/ -i .p12
If the p12 is password-protected the user will need to supply the correct password before the boot will continue (pk12util will ask for it).
The above gives that even if the disc is lost the sensitive content of p12 is still protected by its password (given that you use a strong enough password). The content of p12 can be used for cases where the target system identifies and authenticates the user through the client certificate as described in http://en.wikipedia.org/wiki/Mutual_authentication
A variant of the above would be if its possible to (in somewhat easy fashion) import this p12 into the webconverger iso (that is I as ISO-admin will use ISO Master or whatever) so the for example client cert is already part of the iso (no passwords will be needed during boot). In this case the disc is of course more sensitive.
The point here is to be able to use webconverger for admin purposes of systems who demands mutual authentication (normally you do this by installing a full system like windows or ubuntu and within that browser install your p12 - but this gives that the whole laptop must be protected (like stored in a safety box or whatever security policy your employer might have) compared to just having to store the cd/dvd in a safe...