Relativity Server Client Certificates

All

I have been trying to secure Relativity server with a SSL cert, and succeeded with that yesterday after struggling a bit with converting my .cer cert to .p12 cert. However, when I try to open https://www.mydomain.com:8099, the server info page is showing the correct certificate and the connection is marked as secure by the browser.

Now, I see that the Relativity server is asking for a client certificate. This happens both when I open the website on port 8099 and when I try to login on my application. I can see on the TROWinInetHTTPChannel there is a ClientCert property for this pursue, but is it really necessary?

Can this be disabled, or will the Relativity Server always ask for client certs? If I have to provide client certs, then how do a get some? Do I create them based on my SSL cert on the server? I’m really not an exert on this.

Thanks for any information regarding this matter so I can proceed creating my first production server for my current client

Eivind

Hello

What exactly do you mean by

Now, I see that the Relativity server is asking for a client certificate. This happens when I open the website on port 8099

?

Hi

I mean when I navigate to my Relativity url https://www.mydomain.com:8099 I’m asked to provide a client certificate to authenticate myself on the server. This also happens in my Delphi DataAbstract app as well. Every time I connect to my Relativity server, I’m asked to provide a client certificate. Is this normal behaviour? Or is it something wrong with the way I converted my .cer SSL certificate to Relativity.pfx?

See screenshots for some images on how it looks like on the client side…

Interesting that Win10/Chrome didn.t show any additional dialogues. Ceriticate has been accepted and the connection is considered secure:

The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with X25519 (a strong key exchange), and AES_256_GCM (a strong cipher).


Could this be your issue?

https://productforums.google.com/forum/#!topic/chrome/7yOZ6OFuPaw

https://social.technet.microsoft.com/Forums/windows/en-US/696a4a00-423a-4e52-91d5-b6a8b1e28f24/how-to-prevent-ie-windows-security-confirm-certificate-and-request-for-permission-to-use-a-key?forum=w7itprogeneral

Also I noticed that your certificate has

Enhanced Key Usage set to

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

while it should be only

Server Authentication (1.3.6.1.5.5.7.3.1)

Antonk

Thanks for your answer. I checked out the Enhanced Key Usage as you mentioned and you are right there are both the Server and Client Authentication mentioned. I also checked out the SSL certs on talk.remobjects.com as well, and that cert both have Server and Client Authentication as well. However, I have now switched back to using a Relativity generated certificate, and the same thing occurs. As you can see, only the Server Authentication (1.3.6.1.5.5.7.3.1) Purpose is shown in the Relativity generated certificate

The “Select a certificate to authenticate yourself at https://www.mydomain.com:8099” still pops up on all browsers. Funny part is that on my iPhone, the browser there does not ask for a certificate.

The original SSL certificate I’m trying to use works well for my IIS ISAPI apps with no client certificate issues.

I must admit I’m a little bit lost here. I do not know the whole HTTPS / SSL world well enough to have a say on this issue.

Any further help is highly appreciated.

Thanks

Eivind

Could it be that something was lost during the cer -> p12 conversion? Try to use openssl and reconvert the certificate again.

Antonk

I can certainly try to convert to .p12 again. However, the issue with client certificates still persists when I remove my SSL cert and use a Relativity generated cert. Even then, my Delphi app and all browsers are asking for client certs.

Anyhow, I will try to set up another instance on AWS EC2 and try from scratch. Maybe I have done something wrong during setup. I’ll get back with the results later

You can add validation of certificate on channel level via the OnInvalidCertificate event of TROWinInetHTTPChannel.

see more at
https://docs.remotingsdk.com/Clients/Tasks/HandlingSelfSignedCertificates/Delphi/#trowininethttpchannel