SSL with mutual certificate authentication

11 posts / 0 new
Last post
SSL with mutual certificate authentication


Would it be possible to extend the SSL support with mutual certificate authentication where the client also has to show its certificate to the server so that the server can check if the client is allowed to connect?

Ease the use of clients and server when they are directly connecting over the internet without any additional tools (e.g. openvpn, stunnel, plink, etc.).


Yes this is supported in

Yes this is supported in server 2.1.0 and client 2.8.3, see here for setup

Great! Thanks for adding the

Great! Thanks for adding the client cert support.

It would be nice if you could improve the SSL documentation a little bit:
* I had to use double backslashes for the path
* In the vhui.ini there sections: I have just put the sslPort option to the [General] section. For the SSLClientCert it is already specified to put it in the [General] section.

In the server FAQ there is a typo with double "the":
* "SSLCAFileThis file is contains the PEM encoded Certificate Authority(CA) Trusted Root Certificates used the the Server and Client SSL certificates."

Thanks again for this great product!

Would it also be possible to

Would it also be possible to add a CRL file (certificate revokation list) to disable certain certificates so that it is not necessary to generate a new CA cert and as a result of this, generate new client certificates for all users?

OK, download 2.1.7 of the

OK, download 2.1.7 of the server and then add UseSSLCRL=1 to the server config.ini then append your CRL's in PEM format to the server.pem file and it should work according the openssl documentation.

Great! Thanks for adding!

Great! Thanks for adding!

BTW: I am using this PKI tool for handling all the cert stuff:
git clone

Then simply run the command "easyrsa" in the "easyrsa3" subdir.
The only thing that has to be done manually afterwards is to concatenate the public certificate and the private key (and optionally the CRL) into one PEM file. "easyrsa" also generates the CRL in PEM format which contains the revoked certificates.

Thats good to know, openssl

Thats good to know, openssl cli is a PIA :)



I am just testing the CRL support.
Enabling the option "UseSSLCRL=1" results in no working SSL connections anymore.
I have tried the pure server.pem without CRL in PEM format and with an empty CRL in PEM format (added to server.pem) which was generated by "easyrsa gen-crl" and no certificates have been revoked before.

As soon as I disable the option "UseSSLCRL=0", it works again.

What am I doing wrong?

Server says that it got no client certificate. The client gives an SSL alert: bad certificate.

I am unsure: is there

I am unsure: is there something like an empty CRL at all?

However, I would expect even when enabling the option "UseSSLCRL=1" and there is no CRL block in the server.pem that it accepts all clients which it currently does not.

This is the post i used to

This is the post i used to implement the code:

The exact code i used is in the 2nd post, i think you need to add the crl to the ca file, could you try that i think i might have my docs wrong..

I would like to confirm that

I would like to confirm that is working if you add the CRL (PEM format) to the CA.PEM file.
I have created a new test certificate which allowed the client to connect to the server. An empty CRL was present in the CA.PEM file.
Then I revoked this certificate, generated a new CRL and updated the CA.PEM file with this new CRL content.
If the client connects, it is correctly denied access with the following message:

20:00:03 INFO :VirtualHere Client 2.8.7 starting (Compiled: Apr 8 2015 18:44:21)
20:00:03 INFO :Found config in executable path, using D:\Tools\virtualusb\client\gui\windows\vhui.ini
20:00:03 INFO :IPC available at \\.\pipe\vhclient
20:00:03 INFO :Auto-find (Bonjour) on
20:00:03 INFO :Auto-find (Bonjour SSL) on
20:00:04 INFO :SSL_connect failed when connecting to raspberrypi.local.:17574, error:14094414:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate revoked


Log in or register to post comments