1. 24
  1.  

  2. 17

    I once set up client-certificates for a personal wiki I wanted to be able to access from all my devices. They seemed like the best tradeoff between easy for me to access and difficult for others to access.

    This article points out how many scary dialogs there are but there are much deeper problems. Creating the cert and getting nginx to verify it was… I wouldn’t say a breeze but about as involved as SSL usually is. When it comes to sending the cert…

    Chrome on Ubuntu gets full marks. You type in some commands the internet has well documented and you’re on your way.

    Safari on OSX was a nightmare. Chrome on OSX was also a nightmare. After hours I found just the right format and filename to use for the cert and it worked in Chrome but I never figured out how to get it working in Safari. (If I remember correctly I had to wrap the cert in another file which was required to be password-protected with a password which matched the name of the file.)

    Android is a little harder to get setup than Ubuntu, frequently forgets which cert it it ought to send, and sometimes fails to sent a cert at all.

    Each of them required a differently formatted client cert. All three of these occasionally broke and locked me out of my wiki until a few months later I added a new device and hadn’t taken good enough notes to quickly get it working. Here’s hoping password protection is enough, I care about being able to use my notes more than stopping other people from reading them.

    1. 4

      One valuable but simple feature for all TLS-using aoftware would be to accept more than one cert/key format. There’s no good reason I should have to run a conversion command to switch between PKCS12 and PEM, since they contain the same underlying data.