Koozali.org: home of the SME Server

Hello to all friends here! PHPki problem! Urgent!

Offline dbranko

  • 4
  • +0/-0
Hello to all friends here! PHPki problem! Urgent!
« on: September 03, 2023, 03:49:35 PM »
I have Windows Server running web app by Java Glassfish. My clients have smart cards and they are using Firefox because security module that communicate with smart card and reader. So, first they need to enter PIN, then after that step open new login page and they need to authenticate as usual with username and pass. Also on this Win Server there is Apache and Ngnix. One of them is working as proxy or checker for clients authentification by smart cards. (i think).
How that works:
I had Phpki and i generate PEM certs with opensc (pkcs11) and had to programming them on Smat Cards.
Now, my hardver is broken so i have new Phpki on VM. It works well.
Please help me. I know that i need somehow to make trust connection and make additional steps to archive that.
Phpki will not be exposed to the internet, just for generating certs (PEM). 
What to do? Please help...
« Last Edit: September 03, 2023, 03:51:53 PM by dbranko »

Offline ReetP

  • *
  • 3,703
  • +5/-0
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #1 on: September 03, 2023, 09:25:04 PM »
We need more details about your PHPki installation.

What is PHPki installed on?

What version are you using?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline dbranko

  • 4
  • +0/-0
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #2 on: September 03, 2023, 09:35:04 PM »
It's latest SME server and latest Phpki instaled from contribs. On SME server, off course. All working on HyperV.
« Last Edit: September 03, 2023, 09:38:00 PM by dbranko »

Offline ReetP

  • *
  • 3,703
  • +5/-0
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #3 on: September 03, 2023, 10:37:08 PM »
Note this might be urgent to you, but we are all volunteers. We'll help as best we can.

I'm not sure where you are actually stuck.

Recovering old certificates?
Generating new certificates?

You say PHPki works well (it should be phpki-ng) so what is the actual problem?

Trust problem?

Can you please explain that a bit more?

What steps have you taken?

What errors have you seen?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline dbranko

  • 4
  • +0/-0
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #4 on: September 03, 2023, 10:57:58 PM »
I have web app on phisical machine windows server. It works with java glassfish as web app server. So that is web app and 50 clients using it.
They autentificate with smart cards. I am programming that cards with opessl pkcs11 etc...,every 365 cause expiring. I had phpki instaled more than 11 years on physical maschine. I was creating pem certs and programming them on smart cards for each user when cert expires. How that maschine is broken.
So i decided to install new instance of phpki on VM in HyperV on brand new physical server. I do that with sme server 10.1 and contibuted phpki.
I can't recover anthing from old server.
My problem is: i need to make trust between these two servers. I know i should do that maybe with openssl concatenating certs or whatever but i don't know where to start.
One thing to be clear:
On webapp server i have apache and ngnix installed. Purpose of one of them is to check clients cert on smart card then permit or deny connecting further to webapp.
I have new phpki and all certs from them but don't know what to do with them to make this functional as it was before failing old server.
« Last Edit: September 03, 2023, 11:01:29 PM by dbranko »

Offline ReetP

  • *
  • 3,703
  • +5/-0
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #5 on: September 03, 2023, 11:30:19 PM »
Unfortunately you are the only one with knowledge of your software  :-(

No backups doesn't help :-(

Others may be around who know about Windows - I have no M$ machines myself.

At a guess Windows needs the public CA certificate available in PHPki to check the individual certificates?

I have no idea how you setup your apache/nginx either (do you really need both?)

Did they use PHPki certs or some other certs?


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,707
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #6 on: September 03, 2023, 11:52:24 PM »
your web app server should have some configuration to check the client certs against something.  it is probably still pointing toward old server.
also what is the version of this web server and nginx it could be that the openssl version supported there is too old for the new phpki installation.

those are just some checks in all that could be the issues, because we do not know a lot of your systems.

Offline dbranko

  • 4
  • +0/-0
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #7 on: September 04, 2023, 08:18:58 PM »
Found certs backup from old PHPki. Any idea how to import them to new PHPki?

Offline Jean-Philippe Pialasse

  • *
  • 2,707
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com

Offline ReetP

  • *
  • 3,703
  • +5/-0
Re: Hello to all friends here! PHPki problem! Urgent!
« Reply #9 on: September 05, 2023, 02:56:44 AM »
Found certs backup from old PHPki. Any idea how to import them to new PHPki?

Once you have got over your temporary struggles I suggest you then start with again with a new CA and new certificates which will be much stronger than you old ones.

The new version of PHPki will do that for you if you start from fresh. Otherwise it will use the old much less secure defaults.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation