Rank: Newbie Groups: Member
Joined: 4/8/2020 Posts: 2
|
I'm building an application for the US Air Force, and need to access a site that does mTLS. That is, the HTTPS connection requires a client certificate. Standalone Chrome (and MS Edge and MSIE 11, even the default MSIE 7 based .NET webbrowser control) presents a dialog to select a client certificate, then obtains the selected certificate (using whatever is registered in Windows, such as WINCAPI, ActivClient etc.) In my case the client certificate will be on a DoD CAC card, inserted into a smartcard reader, so the registered handler (WinCAPI, ActivClient etc.) prompts for a PIN. That is, it just works "out of the box" But the EO WebBrowser just says "The current page accepts/requires a client certificate. Please handle the NeedClientCertificate event." How do I handle the NeedClientCertificate event, or more specifically, how do I make the EO WebBrowser handle client certificates like a normal web browser? There's nothing in your Help about this I found a Support forum topic: "NeedClientCertificate, HandleLoadFailed: Error code:-117" in which a user has a similar problem, but there's no resolution.
I'm using EO.WebBrowser V2020.0.33.0
Thanks!
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi, You can try to display all certificate and let user to choose a certificate with this class: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2ui?view=netframework-4.8Then pass the selected certificate to the browser engine through e.Continue(selectedCertificate). Currently we do not have a smart card test environment here so we are not able to verify it. In theory this should work since the certificate on the smart card would be automatically imported into the personal certificate store and when accessed, Windows would prompt pin number. If the certificate is not already in the certificate store, then the browser engine would need the certificate's private key and it is common that smart card would not allow private key to be exported due to security reasons, in that case it can be an issue. Please let us know if this works for you. If necessary we can acquire a smart card test environment and investigate further on our end. Thanks!
|
Rank: Newbie Groups: Member
Joined: 4/8/2020 Posts: 2
|
Thanks for the reply. But it appears that EO.WebBrowser has not implemented client certificate handling (there's a lot more to it than the sample you pointed to). Oh well, back to the drawing board - looking for a product that does...
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
We did implement client certificate handling and it covers both cases:
1. The certificate is already in the certificate store. In that case you can simply provide the certificate without private key in your NeedClientCertificate handler; 2. The certificate is not in the certificate store (for example, you have a pk12 file), In that case you will need to provide either the raw certificate data that includes the private key, or a certificate object that can be exported with private key;
Smart card should fall to case #1. The missing part is we have not tested case #1 with a smart card, we have only tested it with a regular certificate that is already imported.
|