From: "Randall S. Becker" <rsbecker@nexbridge.com>
To: "'Sergei Haller'" <sergei@sergei-haller.de>, <git@vger.kernel.org>
Subject: RE: Multiple GIT Accounts & HTTPS Client Certificates - Config
Date: Mon, 10 Sep 2018 09:29:32 -0400 [thread overview]
Message-ID: <001901d4490a$528d7590$f7a860b0$@nexbridge.com> (raw)
In-Reply-To: <CAPO0KtU=do8nmJggP4-k1BingdseZUuRjWraGjuN01VoEYU=1Q@mail.gmail.com>
On September 10, 2018 4:09 AM, Sergei Haller wrote:
> my problem is basically the following: my git server (https) requires
> authentication using a clent x509 certificate.
>
> And I have multiple x509 certificates that match the server.
>
> when I access the https server using a browser, the browser asks which
> certificate to use and everything is fine.
>
> When I try to access the git server from the command line (git pull or similar),
> the git will pick one of the available certificates (randomly or alphabetically)
> and try to access the server with that client certificate. Ending in the
> situation that git picks the wrong certificate.
>
> I can workaround by deleting all client certificates from the windows
> certificate store except the "correct" one => then git command line will pick
> the correct certificate (the only one available) and everything works as
> expected.
>
> Workaround is a workaround, I need to use all of the certificates repeatedly
> for different repos and different other aplications (non-git), so I've been
> deliting and reinstalling the certificates all the time in the last weeks...
>
> How can I tell git cmd (per config option??) to use a particular client
> certificate for authenticating to the https server (I could provide fingerprint
> or serial number or sth like that)
>
> current environment: windows 10 and git version 2.18.0.windows.1
>
> Would be absolutely acceptable if git would ask interactively which client
> certificate to use (in case its not configurable)
>
> (I asked this question here before:
> https://stackoverflow.com/questions/51952568/multiple-git-accounts-
> https-client-certificates-config
> )
Would you consider using SSH to authenticate? You can control which private key you use based on your ~/.ssh/config entries, which are case sensitive. You can choose the SSH key to use by playing with the case of the host name, like:
github.com
Github.com
gitHub.com
even if your user is "git" in all cases above. It is a bit hacky but it is part of the SSH spec and is supported by git and EGit (as of 5.x).
Cheers,
Randall
--
Randall S. Becker
Managing Director, Nexbridge Inc.
LinkedIn.com/in/randallbecker
+1.416.984.9826
next prev parent reply other threads:[~2018-09-10 13:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-10 8:09 Multiple GIT Accounts & HTTPS Client Certificates - Config Sergei Haller
2018-09-10 13:29 ` Randall S. Becker [this message]
2018-09-11 7:29 ` Sergei Haller
2018-09-11 7:42 ` Sergei Haller
2018-09-13 4:17 ` brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001901d4490a$528d7590$f7a860b0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=git@vger.kernel.org \
--cc=sergei@sergei-haller.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).