Re: Using a Java Keytool created certificate in HTTPWebRequest.ClientCertificates
- From: bigAPE <alex.maddern@xxxxxxxxx>
- Date: Wed, 3 Dec 2008 16:49:48 -0800 (PST)
Outstanding. Thanks for all your advice. I was about to post back
saying pretty exactly that.
I now have the connection working but I did the following:
(1) Created the server X509 DER certificate using OpenSSL with the CN
set to the server name (the cause of my previous
RemoteCertificateNameMismatch)
(2) Installed and configured HTTPS on the Server using this X509 DER
certificate
(3) Connected to the server via HTTP using Internet Explorer
(4) Installed the Certificate from the Server to the Personal store
(5) Ran the test C# application which loaded up all the Certificates
found in the Personal Store using
X509Store store = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate cert in store.Certificates)
{
webRequest.ClientCertificates.Add(cert);
}
(6) Implemented the ServerCertificateValidationCallback as follows
ServicePointManager.ServerCertificateValidationCallback = new
RemoteCertificateValidationCallback
(RemoteServerCertificateValidationCallback);
...
public static bool RemoteServerCertificateValidationCallback
(Object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return true; // sorry, awful I know
}
(7) HTTPS calls now work at the expense of ignoring the
RemoteCertificateChainErrors.ChainStatus = "Untrusted Root" error.
Is this what have suggested. Do I not need to deal with steps 3 or 4 ?
Al
On Dec 4, 9:31 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Is your goal here to just get SSL working with the server or to also.
authenticate the client with SSL client certificate auth?
If you just want an HTTPS connection to the server, you don't need to
specify anything with client certs on the client side. You just need to get
the client to trust the server's certificate. There are two ways to do
this:
- Fix the chain such that the client trusts the server's certificate with
default policy, or
- Implement a custom policy that ignores some or all of the SSL policy
errors that you don't want to fix
To fix the chain locally, the Windows client must trust the server's
certificate. For that, the issuer must chain up to a trusted root, the
subject name must match the host name in the URL and the certificate must be
in its validity period.
If you don't want to fix the trust chain because you don't care about
proving the identity of the server and just want encryption, then you can
implement a callback that allows you to ignore SSL errors.
If you really do want client cert auth, that is likely more complex. You'll
have to deal with the above mentioned stuff, but then you'll also need to
issue a valid client certificate to the client. You can't use the server's
certificate on the client (unless you've created both a client and server
authentication cert, but that would be a weird PKI usage).
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net"bigAPE"; <alex.madd...@xxxxxxxxx> wrote in message
- Follow-Ups:
- References:
- Prev by Date: Re: Using a Java Keytool created certificate in HTTPWebRequest.ClientCertificates
- Next by Date: Re: Using a Java Keytool created certificate in HTTPWebRequest.ClientCertificates
- Previous by thread: Re: Using a Java Keytool created certificate in HTTPWebRequest.ClientCertificates
- Next by thread: Re: Using a Java Keytool created certificate in HTTPWebRequest.ClientCertificates
- Index(es):
Relevant Pages
|
