Welcome Guest Search | Active Topics | Sign In | Register

How do you handle client certificate authentication? Options
Paul Cullen
Posted: Wednesday, April 8, 2020 8:16:57 PM
Rank: Newbie
Groups: Member

Joined: 4/8/2020
Posts: 2
I'm building an application for the US Air Force, and need to access a site that does mTLS. That is, the HTTPS connection requires a client certificate. Standalone Chrome (and MS Edge and MSIE 11, even the default MSIE 7 based .NET webbrowser control) presents a dialog to select a client certificate, then obtains the selected certificate (using whatever is registered in Windows, such as WINCAPI, ActivClient etc.) In my case the client certificate will be on a DoD CAC card, inserted into a smartcard reader, so the registered handler (WinCAPI, ActivClient etc.) prompts for a PIN. That is, it just works "out of the box"

But the EO WebBrowser just says "The current page accepts/requires a client certificate. Please handle the NeedClientCertificate event."

How do I handle the NeedClientCertificate event, or more specifically, how do I make the EO WebBrowser handle client certificates like a normal web browser?

There's nothing in your Help about this

I found a Support forum topic: "NeedClientCertificate, HandleLoadFailed: Error code:-117" in which a user has a similar problem, but there's no resolution.

I'm using EO.WebBrowser V2020.0.33.0

Thanks!
eo_support
Posted: Thursday, April 9, 2020 10:29:20 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,217
Hi,

You can try to display all certificate and let user to choose a certificate with this class:

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2ui?view=netframework-4.8

Then pass the selected certificate to the browser engine through e.Continue(selectedCertificate).

Currently we do not have a smart card test environment here so we are not able to verify it. In theory this should work since the certificate on the smart card would be automatically imported into the personal certificate store and when accessed, Windows would prompt pin number. If the certificate is not already in the certificate store, then the browser engine would need the certificate's private key and it is common that smart card would not allow private key to be exported due to security reasons, in that case it can be an issue.

Please let us know if this works for you. If necessary we can acquire a smart card test environment and investigate further on our end.

Thanks!
Paul Cullen
Posted: Thursday, April 9, 2020 11:00:38 AM
Rank: Newbie
Groups: Member

Joined: 4/8/2020
Posts: 2
Thanks for the reply. But it appears that EO.WebBrowser has not implemented client certificate handling (there's a lot more to it than the sample you pointed to). Oh well, back to the drawing board - looking for a product that does...
eo_support
Posted: Thursday, April 9, 2020 12:46:37 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,217
We did implement client certificate handling and it covers both cases:

1. The certificate is already in the certificate store. In that case you can simply provide the certificate without private key in your NeedClientCertificate handler;
2. The certificate is not in the certificate store (for example, you have a pk12 file), In that case you will need to provide either the raw certificate data that includes the private key, or a certificate object that can be exported with private key;

Smart card should fall to case #1. The missing part is we have not tested case #1 with a smart card, we have only tested it with a regular certificate that is already imported.


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.