Rank: Advanced Member Groups: Member
Joined: 5/9/2016 Posts: 84
|
We have *.p12 certificate and we have site which required client certificate. When navigate this site raised event NeedClientCertificate and we try handle this event.
System.Security.Cryptography.X509Certificates.X509Certificate cert = new System.Security.Cryptography.X509Certificates.X509Certificate(); cert.Import(filepath, password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.DefaultKeySet); e.Continue(cert);
But site return 403 - Forbidden: Access is denied.
We tried with Chrome browser (installing manully and it works). Also interesting fact is that EO works after installing locally. But we want to provide the cert in runtime without local install.
So, what could be the problem?
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi, The key for client certificate to work is that the private key has to be available to the browser engine (because the browser engine needs the private key to encrypt data). The easiest way to make sure the private key is available is to pass the entire p12 data through this method: https://www.essentialobjects.com/doc/eo.webbrowser.needclientcertificateeventargs.continue_overload_2.aspxYou could also install the certificate into your local certificate store and then call Continue(cert) ---- in fact this is how this version of Continue supposed to work. This way the OS has the private key. Thanks!
|
Rank: Advanced Member Groups: Member
Joined: 5/9/2016 Posts: 84
|
It is not 100% clear. Do you require that you install the Cert locally on computer or is it enough with supplying cert through this method. Because supplying cert does not seem to work? Do you have any test site so we can prove the method works?
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
It will work if:
1. You call Continue with a byte array that is entire contents of your pk12 file. This will work because this byte array contains the private key;
-- OR --
2. You add the certificate to the certificate store, then call Continue with the corresponding X509Certificate object that you get from the certificate store. This will work because the OS has the private key;
It will not work if you simply construct an X509Certificate object the way you did. This is because typically an X509Certificate object does not contain the private key. This is the portion of the certificate that you pass around so that other people can use it to decrepit the information that you encrypted with your private key. However if you only pass this portion to the browser engine as client certificate, it won't work because the sole purpose of client certificate is for encryption, not for decryption.
In either case, the certificate you provided must also be trusted by the server. This usually is not an issue if the certificate is issued by a known trusted certificate authority, but it can be an issue if you use self signed certificates. So this is the second issue to check when client certificate does not work (the first issue is private key).
Hope this helps.
Thanks!
|