Client Certificate generation, CRL/OCSP

Dean E
Added almost 5 years ago talks about how to configure Tigase to allow clients to authenticate with certificates. I am looking to set this up but are having trouble with generating client certificates that work for this. Is there a how-to or walkthrough available to generate the proper CA and client certificates so that this works?

Also, two other questions:

  1. How to I force Tigase to require client certificates for XMPP connections?

  2. Will Tigase do CRL or OCSP checking on the client certificates presented?



Replies (2)


Added by Bartosz Małkowski TigaseTeam almost 5 years ago

We haven't any manual for certificates. Try to search how to make own CA with openssl.

Other responses:

  1. I understand you want to disable other mechanisms? Use this
  1. No.

Added by Dean E almost 5 years ago

Good info, thanks.

I have made many certificates and have a test CA already. I tried using this guide, except signing with my CA rather than self-signing. That didn't work. I was looking for more info on how to set up the XmppAddr attribute of the certificate, as I think that's the part that isn't working.

Also, the Tigase documentation states "Client certificate must include user's Jabber ID as XmppAddr in subjectAltName:". Although the spec says that if there is no JID in the cert, it MAY (if Tigase was written to support it) authenticate using the CN in the certificate if a JID exists that matches the CN:

"c.If the certificate does not contain an XMPP address, then the server MAY attempt to determine if there is a registered account associated with the user, for example by performing an LDAP lookup based on the Common Name or other information presented by the client in the certificate; if such a JID mapping is successful and the mapped JID matches the authorization identity provided, then the server SHOULD allow authentication and authorization of that mapped JID."