HttpWebRequest using Certificates

Discussion in 'ASP .Net Security' started by Josef Brunner, Mar 3, 2006.

  1. Hi everybody,

    my VB.NET (Framework 2.0) client application has to do a HttpWebRequest (for
    reading web-pages and downloading files) on a web server. The server uses a
    self-signed certifiacte and the client application should also use a
    self-signed certificate (of course, signed by the same self-made CA) so we
    would have an authentication of both directions: the server to the client
    and the other way round.

    Is there a way to programmatically load the self-signed server certificate
    in my VB application? Something like:

    Private _WebClient As HttpWebRequest

    Private _ClientCert As X509Certificate2 = LoadCert() ' This already works

    _WebClient = CType(WebRequest.Create(_Server + "site.html"), HttpWebRequest)

    _WebClient.ClientCertificates.Add(_ClientCert)

    ' Something like this.....

    _WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")

    Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
    HttpWebResponse)



    So far my client does not accept the server certificate since it could not
    establish the trust relationship! Of course, since my client does not know
    about the CA. And I don't want to have to install the certificate/CA on each
    machine that I need to install the software on.

    Any ideas?

    Thank you very much,

    Josef
     
    Josef Brunner, Mar 3, 2006
    #1
    1. Advertising

  2. Hello,

    Here is a sample may help:

    HttpWebRequest httprq = (HttpWebRequest)HttpWebRequest.Create(uri);
    httprq.Method = "POST";
    httprq.ContentType = "text/xml; charset=utf-8";

    string certificateName = "ABC";
    X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection certificates =
    store.Certificates.Find(X509FindType.FindBySubjectName, certificateName,
    true);
    X509Certificate certificate = certificates[0];
    httprq.ClientCertificates.Add(certificate);

    //Response
    HttpWebResponse httprp = (HttpWebResponse)httprq.GetResponse();

    Also, The server certificate's root authority must be trusted by client and
    the client certificate's root authority must be trusted by the server.

    Regards,

    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Luke Zhang [MSFT], Mar 3, 2006
    #2
    1. Advertising

  3. Hi,

    sure - get a cert from a CA that is already trusted on every single Windows
    machine, e.g. VeriSign.

    Then you don't have to install anything extra.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi everybody,
    >
    > my VB.NET (Framework 2.0) client application has to do a
    > HttpWebRequest (for reading web-pages and downloading files) on a web
    > server. The server uses a self-signed certifiacte and the client
    > application should also use a self-signed certificate (of course,
    > signed by the same self-made CA) so we would have an authentication of
    > both directions: the server to the client and the other way round.
    >
    > Is there a way to programmatically load the self-signed server
    > certificate in my VB application? Something like:
    >
    > Private _WebClient As HttpWebRequest
    >
    > Private _ClientCert As X509Certificate2 = LoadCert() ' This already
    > works
    >
    > _WebClient = CType(WebRequest.Create(_Server + "site.html"),
    > HttpWebRequest)
    >
    > _WebClient.ClientCertificates.Add(_ClientCert)
    >
    > ' Something like this.....
    >
    > _WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")
    >
    > Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
    > HttpWebResponse)
    >
    > So far my client does not accept the server certificate since it could
    > not establish the trust relationship! Of course, since my client does
    > not know about the CA. And I don't want to have to install the
    > certificate/CA on each machine that I need to install the software on.
    >
    > Any ideas?
    >
    > Thank you very much,
    >
    > Josef
    >
     
    Dominick Baier [DevelopMentor], Mar 3, 2006
    #3
  4. Hi Luke,

    thanks for the advice with the certificat sore. What I'm trying to do write
    know is to load all certificates (client, server, ca) into the corresponding
    certificate stores. But
    1. I still get the ..."Could not establish trust relationship for the
    SSL'/TLS secure channel" error message
    2. I cannot find the certificates I just added to the differen certificate
    stores wihin the IE...

    Here's the code...maybe I do something wrong while adding them...

    Private _ClientCert As X509Certificate2

    Private _ServerCert As X509Certificate2

    Private _CACert As X509Certificate2



    Public Sub New(ByVal ClientCertFile As String, ByVal ServerCertFile As
    String, ByVal CACertFile As String)

    _ClientCert = ReadCertificate(ClientCertFile)

    _ServerCert = ReadCertificate(ServerCertFile)

    _CACert = ReadCertificate(CACertFile)



    Dim CAstore As New X509Store(StoreName.CertificateAuthority,
    StoreLocation.LocalMachine)

    CAstore.Open(OpenFlags.ReadWrite)

    CAstore.Add(_CACert)

    CAstore.Close()

    Dim ServerStore As New X509Store(StoreName.TrustedPeople,
    StoreLocation.LocalMachine)

    ServerStore.Open(OpenFlags.ReadWrite)

    ServerStore.Add(_ServerCert)

    ServerStore.Close()

    Dim ClientStore As New X509Store(StoreName.My, StoreLocation.LocalMachine)

    ClientStore.Open(OpenFlags.ReadWrite)

    ClientStore.Add(_ClientCert)

    ClientStore.Close()



    Thanx,

    Josef
     
    Josef Brunner, Mar 3, 2006
    #4
  5. Hi Dominick,

    "Dominick Baier [DevelopMentor]" <>
    schrieb im Newsbeitrag
    news:...
    > sure - get a cert from a CA that is already trusted on every single
    > Windows machine, e.g. VeriSign.
    >
    > Then you don't have to install anything extra.


    I'm sure this will solve my problem, but right now I don't have (the
    permission to get) such a cert :(

    Any other idea?
    J
     
    Josef Brunner, Mar 3, 2006
    #5
  6. Hi,

    so what was your original question then - how to get it to work with your
    test cert?

    Or how to avoid installing certs on every client machine..?

    these are mutually exclusive.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi everybody,
    >
    > my VB.NET (Framework 2.0) client application has to do a
    > HttpWebRequest (for reading web-pages and downloading files) on a web
    > server. The server uses a self-signed certifiacte and the client
    > application should also use a self-signed certificate (of course,
    > signed by the same self-made CA) so we would have an authentication of
    > both directions: the server to the client and the other way round.
    >
    > Is there a way to programmatically load the self-signed server
    > certificate in my VB application? Something like:
    >
    > Private _WebClient As HttpWebRequest
    >
    > Private _ClientCert As X509Certificate2 = LoadCert() ' This already
    > works
    >
    > _WebClient = CType(WebRequest.Create(_Server + "site.html"),
    > HttpWebRequest)
    >
    > _WebClient.ClientCertificates.Add(_ClientCert)
    >
    > ' Something like this.....
    >
    > _WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")
    >
    > Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
    > HttpWebResponse)
    >
    > So far my client does not accept the server certificate since it could
    > not establish the trust relationship! Of course, since my client does
    > not know about the CA. And I don't want to have to install the
    > certificate/CA on each machine that I need to install the software on.
    >
    > Any ideas?
    >
    > Thank you very much,
    >
    > Josef
    >
     
    Dominick Baier [DevelopMentor], Mar 3, 2006
    #6
  7. Hi,

    you are right, the question should be:
    how do I get it to work with my test certs?

    sorry for not being specific,
    J

    "Dominick Baier [DevelopMentor]" <>
    schrieb im Newsbeitrag
    news:...
    > Hi,
    > so what was your original question then - how to get it to work with your
    > test cert?
    >
    > Or how to avoid installing certs on every client machine..?
    >
    > these are mutually exclusive.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi everybody,
    >>
    >> my VB.NET (Framework 2.0) client application has to do a
    >> HttpWebRequest (for reading web-pages and downloading files) on a web
    >> server. The server uses a self-signed certifiacte and the client
    >> application should also use a self-signed certificate (of course,
    >> signed by the same self-made CA) so we would have an authentication of
    >> both directions: the server to the client and the other way round.
    >>
    >> Is there a way to programmatically load the self-signed server
    >> certificate in my VB application? Something like:
    >>
    >> Private _WebClient As HttpWebRequest
    >>
    >> Private _ClientCert As X509Certificate2 = LoadCert() ' This already
    >> works
    >>
    >> _WebClient = CType(WebRequest.Create(_Server + "site.html"),
    >> HttpWebRequest)
    >>
    >> _WebClient.ClientCertificates.Add(_ClientCert)
    >>
    >> ' Something like this.....
    >>
    >> _WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")
    >>
    >> Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
    >> HttpWebResponse)
    >>
    >> So far my client does not accept the server certificate since it could
    >> not establish the trust relationship! Of course, since my client does
    >> not know about the CA. And I don't want to have to install the
    >> certificate/CA on each machine that I need to install the software on.
    >>
    >> Any ideas?
    >>
    >> Thank you very much,
    >>
    >> Josef
    >>

    >
    >
     
    Josef Brunner, Mar 3, 2006
    #7
  8. Hi,

    ok - your client has to trust the server cert and vice versa

    the cert has to be imported into the trusted root ca store on both machines
    - the ca cert must be set to provider "authentication" purpose

    read more here:
    http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > you are right, the question should be:
    > how do I get it to work with my test certs?
    > sorry for not being specific,
    > J
    > "Dominick Baier [DevelopMentor]"
    > <> schrieb im Newsbeitrag
    > news:...
    >
    >> Hi,
    >> so what was your original question then - how to get it to work with
    >> your
    >> test cert?
    >> Or how to avoid installing certs on every client machine..?
    >>
    >> these are mutually exclusive.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi everybody,
    >>>
    >>> my VB.NET (Framework 2.0) client application has to do a
    >>> HttpWebRequest (for reading web-pages and downloading files) on a
    >>> web server. The server uses a self-signed certifiacte and the client
    >>> application should also use a self-signed certificate (of course,
    >>> signed by the same self-made CA) so we would have an authentication
    >>> of both directions: the server to the client and the other way
    >>> round.
    >>>
    >>> Is there a way to programmatically load the self-signed server
    >>> certificate in my VB application? Something like:
    >>>
    >>> Private _WebClient As HttpWebRequest
    >>>
    >>> Private _ClientCert As X509Certificate2 = LoadCert() ' This already
    >>> works
    >>>
    >>> _WebClient = CType(WebRequest.Create(_Server + "site.html"),
    >>> HttpWebRequest)
    >>>
    >>> _WebClient.ClientCertificates.Add(_ClientCert)
    >>>
    >>> ' Something like this.....
    >>>
    >>> _WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")
    >>>
    >>> Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
    >>> HttpWebResponse)
    >>>
    >>> So far my client does not accept the server certificate since it
    >>> could not establish the trust relationship! Of course, since my
    >>> client does not know about the CA. And I don't want to have to
    >>> install the certificate/CA on each machine that I need to install
    >>> the software on.
    >>>
    >>> Any ideas?
    >>>
    >>> Thank you very much,
    >>>
    >>> Josef
    >>>
     
    Dominick Baier [DevelopMentor], Mar 3, 2006
    #8
  9. See also comments (for server-side cert install) at end of section 1 here:
    http://www.jensign.com/JavaScience/dotnet/SSLCapicom

    You could deploy the root CA certificate to the clients and have them
    import it ito the trusteed CA store (in .NET 2 only, or using CAPICOM
    interop in .NET 1.1) .. but each client will be presented with a "warning
    on importing a trusted root CA cert) dialog .. which is of course very
    important.

    - Mitch Gallant

    "Dominick Baier [DevelopMentor]" <> wrote in message
    news:...
    > Hi,
    > ok - your client has to trust the server cert and vice versa
    >
    > the cert has to be imported into the trusted root ca store on both machines - the ca cert must be set to provider
    > "authentication" purpose
    >
    > read more here:
    > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi,
    >>
    >> you are right, the question should be:
    >> how do I get it to work with my test certs?
    >> sorry for not being specific,
    >> J
    >> "Dominick Baier [DevelopMentor]"
    >> <> schrieb im Newsbeitrag
    >> news:...
    >>
    >>> Hi,
    >>> so what was your original question then - how to get it to work with
    >>> your
    >>> test cert?
    >>> Or how to avoid installing certs on every client machine..?
    >>>
    >>> these are mutually exclusive.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi everybody,
    >>>>
    >>>> my VB.NET (Framework 2.0) client application has to do a
    >>>> HttpWebRequest (for reading web-pages and downloading files) on a
    >>>> web server. The server uses a self-signed certifiacte and the client
    >>>> application should also use a self-signed certificate (of course,
    >>>> signed by the same self-made CA) so we would have an authentication
    >>>> of both directions: the server to the client and the other way
    >>>> round.
    >>>>
    >>>> Is there a way to programmatically load the self-signed server
    >>>> certificate in my VB application? Something like:
    >>>>
    >>>> Private _WebClient As HttpWebRequest
    >>>>
    >>>> Private _ClientCert As X509Certificate2 = LoadCert() ' This already
    >>>> works
    >>>>
    >>>> _WebClient = CType(WebRequest.Create(_Server + "site.html"),
    >>>> HttpWebRequest)
    >>>>
    >>>> _WebClient.ClientCertificates.Add(_ClientCert)
    >>>>
    >>>> ' Something like this.....
    >>>>
    >>>> _WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")
    >>>>
    >>>> Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
    >>>> HttpWebResponse)
    >>>>
    >>>> So far my client does not accept the server certificate since it
    >>>> could not establish the trust relationship! Of course, since my
    >>>> client does not know about the CA. And I don't want to have to
    >>>> install the certificate/CA on each machine that I need to install
    >>>> the software on.
    >>>>
    >>>> Any ideas?
    >>>>
    >>>> Thank you very much,
    >>>>
    >>>> Josef
    >>>>

    >
    >
     
    Mitch Gallant, Mar 3, 2006
    #9
  10. Thank you all!

    I got it to work... but you were right: If you don't use a known CA like
    VeriSign & Co. you will have to install the CA on each client machine

    But I could load the client certificate programmatically, which is pretty
    smooth. So when delivering the software the user will just get a client
    certficate signed by a known CA that he'll have to put in his config
    diretory...and that's it :)

    Have a great weekend,
    J

    "Mitch Gallant" <> schrieb im Newsbeitrag
    news:...
    > See also comments (for server-side cert install) at end of section 1 here:
    > http://www.jensign.com/JavaScience/dotnet/SSLCapicom
    >
    > You could deploy the root CA certificate to the clients and have them
    > import it ito the trusteed CA store (in .NET 2 only, or using CAPICOM
    > interop in .NET 1.1) .. but each client will be presented with a "warning
    > on importing a trusted root CA cert) dialog .. which is of course very
    > important.
    >
    > - Mitch Gallant
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    >> Hi,
    >> ok - your client has to trust the server cert and vice versa
    >>
    >> the cert has to be imported into the trusted root ca store on both
    >> machines - the ca cert must be set to provider "authentication" purpose
    >>
    >> read more here:
    >> http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >>> Hi,
    >>>
    >>> you are right, the question should be:
    >>> how do I get it to work with my test certs?
    >>> sorry for not being specific,
    >>> J
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> schrieb im Newsbeitrag
    >>> news:...
    >>>
    >>>> Hi,
    >>>> so what was your original question then - how to get it to work with
    >>>> your
    >>>> test cert?
    >>>> Or how to avoid installing certs on every client machine..?
    >>>>
    >>>> these are mutually exclusive.
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hi everybody,
    >>>>>
    >>>>> my VB.NET (Framework 2.0) client application has to do a
    >>>>> HttpWebRequest (for reading web-pages and downloading files) on a
    >>>>> web server. The server uses a self-signed certifiacte and the client
    >>>>> application should also use a self-signed certificate (of course,
    >>>>> signed by the same self-made CA) so we would have an authentication
    >>>>> of both directions: the server to the client and the other way
    >>>>> round.
    >>>>>
    >>>>> Is there a way to programmatically load the self-signed server
    >>>>> certificate in my VB application? Something like:
    >>>>>
    >>>>> Private _WebClient As HttpWebRequest
    >>>>>
    >>>>> Private _ClientCert As X509Certificate2 = LoadCert() ' This already
    >>>>> works
    >>>>>
    >>>>> _WebClient = CType(WebRequest.Create(_Server + "site.html"),
    >>>>> HttpWebRequest)
    >>>>>
    >>>>> _WebClient.ClientCertificates.Add(_ClientCert)
    >>>>>
    >>>>> ' Something like this.....
    >>>>>
    >>>>> _WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")
    >>>>>
    >>>>> Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
    >>>>> HttpWebResponse)
    >>>>>
    >>>>> So far my client does not accept the server certificate since it
    >>>>> could not establish the trust relationship! Of course, since my
    >>>>> client does not know about the CA. And I don't want to have to
    >>>>> install the certificate/CA on each machine that I need to install
    >>>>> the software on.
    >>>>>
    >>>>> Any ideas?
    >>>>>
    >>>>> Thank you very much,
    >>>>>
    >>>>> Josef
    >>>>>

    >>
    >>

    >
    >
     
    Josef Brunner, Mar 3, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Krishna
    Replies:
    0
    Views:
    398
    Krishna
    May 17, 2004
  2. Krishna
    Replies:
    1
    Views:
    3,628
    Krishna
    May 19, 2004
  3. =?Utf-8?B?RGVlcGFr?=

    httpwebrequest and client certificates

    =?Utf-8?B?RGVlcGFr?=, Feb 7, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    1,872
    Eliyahu Goldin
    Feb 7, 2005
  4. Deepak

    X.509 certificates and HTTPwebrequest

    Deepak, Mar 28, 2005, in forum: ASP .Net Web Services
    Replies:
    2
    Views:
    284
    Yunus Emre ALPĂ–ZEN [MCAD.NET]
    May 6, 2005
  5. n33470

    Are SSL certificates and x.509 certificates the same?

    n33470, Dec 14, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    196
    n33470
    Dec 14, 2005
Loading...

Share This Page