Welcome Guest Search | Active Topics | Sign In | Register

Supplying client certificates through EO Options
serializer
Posted: Thursday, July 9, 2020 11:29:28 AM
Rank: Advanced Member
Groups: Member

Joined: 5/9/2016
Posts: 84
We have *.p12 certificate and we have site which required client certificate.
When navigate this site raised event NeedClientCertificate and we try handle this event.

System.Security.Cryptography.X509Certificates.X509Certificate cert = new System.Security.Cryptography.X509Certificates.X509Certificate();
cert.Import(filepath, password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.DefaultKeySet);
e.Continue(cert);

But site return 403 - Forbidden: Access is denied.

We tried with Chrome browser (installing manully and it works). Also interesting fact is that EO works after installing locally. But we want to provide the cert in runtime without local install.

So, what could be the problem?
eo_support
Posted: Friday, July 10, 2020 9:32:28 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,217
Hi,

The key for client certificate to work is that the private key has to be available to the browser engine (because the browser engine needs the private key to encrypt data). The easiest way to make sure the private key is available is to pass the entire p12 data through this method:

https://www.essentialobjects.com/doc/eo.webbrowser.needclientcertificateeventargs.continue_overload_2.aspx

You could also install the certificate into your local certificate store and then call Continue(cert) ---- in fact this is how this version of Continue supposed to work. This way the OS has the private key.

Thanks!
serializer
Posted: Friday, July 10, 2020 10:36:18 AM
Rank: Advanced Member
Groups: Member

Joined: 5/9/2016
Posts: 84
It is not 100% clear. Do you require that you install the Cert locally on computer or is it enough with supplying cert through this method. Because supplying cert does not seem to work? Do you have any test site so we can prove the method works?
eo_support
Posted: Friday, July 10, 2020 10:54:02 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,217
Hi,

It will work if:

1. You call Continue with a byte array that is entire contents of your pk12 file. This will work because this byte array contains the private key;

-- OR --

2. You add the certificate to the certificate store, then call Continue with the corresponding X509Certificate object that you get from the certificate store. This will work because the OS has the private key;

It will not work if you simply construct an X509Certificate object the way you did. This is because typically an X509Certificate object does not contain the private key. This is the portion of the certificate that you pass around so that other people can use it to decrepit the information that you encrypted with your private key. However if you only pass this portion to the browser engine as client certificate, it won't work because the sole purpose of client certificate is for encryption, not for decryption.

In either case, the certificate you provided must also be trusted by the server. This usually is not an issue if the certificate is issued by a known trusted certificate authority, but it can be an issue if you use self signed certificates. So this is the second issue to check when client certificate does not work (the first issue is private key).

Hope this helps.

Thanks!


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.