HttpWebRequest using Certificates

[Josef Brunner]

Hi everybody,

my VB.NET (Framework 2.0) client application has to do a HttpWebRequest (for
reading web-pages and downloading files) on a web server. The server uses a
self-signed certifiacte and the client application should also use a
self-signed certificate (of course, signed by the same self-made CA) so we
would have an authentication of both directions: the server to the client
and the other way round.

Is there a way to programmatically load the self-signed server certificate
in my VB application? Something like:

Private _WebClient As HttpWebRequest

Private _ClientCert As X509Certificate2 = LoadCert() ' This already works

_WebClient = CType(WebRequest.Create(_Server + "site.html"), HttpWebRequest)

_WebClient.ClientCertificates.Add(_ClientCert)

' Something like this.....

_WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")

Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
HttpWebResponse)



So far my client does not accept the server certificate since it could not
establish the trust relationship! Of course, since my client does not know
about the CA. And I don't want to have to install the certificate/CA on each
machine that I need to install the software on.

Any ideas?

Thank you very much,

Josef

 

[Luke Zhang [MSFT]]

Hello,

Here is a sample may help:

HttpWebRequest httprq = (HttpWebRequest)HttpWebRequest.Create(uri);
httprq.Method = "POST";
httprq.ContentType = "text/xml; charset=utf-8";

string certificateName = "ABC";
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates =
store.Certificates.Find(X509FindType.FindBySubjectName, certificateName,
true);
X509Certificate certificate = certificates[0];
httprq.ClientCertificates.Add(certificate);

//Response
HttpWebResponse httprp = (HttpWebResponse)httprq.GetResponse();

Also, The server certificate's root authority must be trusted by client and
the client certificate's root authority must be trusted by the server.

Regards,

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Dominick Baier [DevelopMentor]]

Hi,

sure - get a cert from a CA that is already trusted on every single Windows
machine, e.g. VeriSign.

Then you don't have to install anything extra.

 

[Josef Brunner]

Hi Luke,

thanks for the advice with the certificat sore. What I'm trying to do write
know is to load all certificates (client, server, ca) into the corresponding
certificate stores. But
1. I still get the ..."Could not establish trust relationship for the
SSL'/TLS secure channel" error message
2. I cannot find the certificates I just added to the differen certificate
stores wihin the IE...

Here's the code...maybe I do something wrong while adding them...

Private _ClientCert As X509Certificate2

Private _ServerCert As X509Certificate2

Private _CACert As X509Certificate2



Public Sub New(ByVal ClientCertFile As String, ByVal ServerCertFile As
String, ByVal CACertFile As String)

_ClientCert = ReadCertificate(ClientCertFile)

_ServerCert = ReadCertificate(ServerCertFile)

_CACert = ReadCertificate(CACertFile)



Dim CAstore As New X509Store(StoreName.CertificateAuthority,
StoreLocation.LocalMachine)

CAstore.Open(OpenFlags.ReadWrite)

CAstore.Add(_CACert)

CAstore.Close()

Dim ServerStore As New X509Store(StoreName.TrustedPeople,
StoreLocation.LocalMachine)

ServerStore.Open(OpenFlags.ReadWrite)

ServerStore.Add(_ServerCert)

ServerStore.Close()

Dim ClientStore As New X509Store(StoreName.My, StoreLocation.LocalMachine)

ClientStore.Open(OpenFlags.ReadWrite)

ClientStore.Add(_ClientCert)

ClientStore.Close()



Thanx,

Josef

 

[Josef Brunner]

Hi Dominick,

"Dominick Baier [DevelopMentor]" <[email protected]>
schrieb im Newsbeitrag

sure - get a cert from a CA that is already trusted on every single
Windows machine, e.g. VeriSign.

Then you don't have to install anything extra.

I'm sure this will solve my problem, but right now I don't have (the
permission to get) such a cert

Any other idea?
J

 

[Dominick Baier [DevelopMentor]]

Hi,

so what was your original question then - how to get it to work with your
test cert?

Or how to avoid installing certs on every client machine..?

these are mutually exclusive.

 

[Josef Brunner]

Hi,

you are right, the question should be:
how do I get it to work with my test certs?

sorry for not being specific,
J

"Dominick Baier [DevelopMentor]" <[email protected]>
schrieb im Newsbeitrag

 

[Dominick Baier [DevelopMentor]]

Hi,

ok - your client has to trust the server cert and vice versa

the cert has to be imported into the trusted root ca store on both machines
- the ca cert must be set to provider "authentication" purpose

read more here:
http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

 

[Mitch Gallant]

See also comments (for server-side cert install) at end of section 1 here:
http://www.jensign.com/JavaScience/dotnet/SSLCapicom

You could deploy the root CA certificate to the clients and have them
import it ito the trusteed CA store (in .NET 2 only, or using CAPICOM
interop in .NET 1.1) .. but each client will be presented with a "warning
on importing a trusted root CA cert) dialog .. which is of course very
important.

- Mitch Gallant

 

[Josef Brunner]

Thank you all!

I got it to work... but you were right: If you don't use a known CA like
VeriSign & Co. you will have to install the CA on each client machine

But I could load the client certificate programmatically, which is pretty
smooth. So when delivering the software the user will just get a client
certficate signed by a known CA that he'll have to put in his config
diretory...and that's it

Have a great weekend,
J

See also comments (for server-side cert install) at end of section 1 here:
http://www.jensign.com/JavaScience/dotnet/SSLCapicom

You could deploy the root CA certificate to the clients and have them
import it ito the trusteed CA store (in .NET 2 only, or using CAPICOM
interop in .NET 1.1) .. but each client will be presented with a "warning
on importing a trusted root CA cert) dialog .. which is of course very
important.

- Mitch Gallant

Hi,
ok - your client has to trust the server cert and vice versa

the cert has to be imported into the trusted root ca store on both
machines - the ca cert must be set to provider "authentication" purpose

read more here:
http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi,

you are right, the question should be:
how do I get it to work with my test certs?
sorry for not being specific,
J
"Dominick Baier [DevelopMentor]"

Hi,
so what was your original question then - how to get it to work with
your
test cert?
Or how to avoid installing certs on every client machine..?

these are mutually exclusive.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi everybody,

my VB.NET (Framework 2.0) client application has to do a
HttpWebRequest (for reading web-pages and downloading files) on a
web server. The server uses a self-signed certifiacte and the client
application should also use a self-signed certificate (of course,
signed by the same self-made CA) so we would have an authentication
of both directions: the server to the client and the other way
round.

Is there a way to programmatically load the self-signed server
certificate in my VB application? Something like:

Private _WebClient As HttpWebRequest

Private _ClientCert As X509Certificate2 = LoadCert() ' This already
works

_WebClient = CType(WebRequest.Create(_Server + "site.html"),
HttpWebRequest)

_WebClient.ClientCertificates.Add(_ClientCert)

' Something like this.....

_WebClient.AuthorizedCertificateAuthorities.Add("MyCA.crt")

Dim NewResponse As HttpWebResponse = CType(_WebClient.GetResponse(),
HttpWebResponse)

So far my client does not accept the server certificate since it
could not establish the trust relationship! Of course, since my
client does not know about the CA. And I don't want to have to
install the certificate/CA on each machine that I need to install
the software on.

Any ideas?

Thank you very much,

Josef