certificate = New X509Certificate2(certFile, password)
service.ClientCertificates.Add(certificate)
resultString = service.DoSomething()
However, when my code reaches the line where I actually call the webservice, I am prompted with a dialog that asks me to enter my password (same as if I'd used the certificate to log into homebanking etc.).
I would like my application to run in the background, without requiring the user to enter the password every time the webservice is called.
Do you have a p12 or pfx file that contains the certificate and private key instead?
What I'm guessing is happening is that you supply the .cer file and .NET uses that to locate the matching certificate installed in the local store and then tries to access the private key in the local store to do the client auth but it does not use the password you supplied to access the key because that particular constructor is designed to use a stand alone p12 file and use the password to open it.
Just a guess...
-- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
"kejster" <kejs...@discussions.microsoft.com> wrote in message
> certificate = New X509Certificate2(certFile, password)
> service.ClientCertificates.Add(certificate)
> resultString = service.DoSomething()
> However, when my code reaches the line where I actually call the > webservice, > I am prompted with a dialog that asks me to enter my password (same as if > I'd > used the certificate to log into homebanking etc.).
> I would like my application to run in the background, without requiring > the > user to enter the password every time the webservice is called.
That seems like a very reasonable assumption. How else would it know how to show the same logon-dialog as when I use the signature to sign into a website.
The problem is, the private key is not exportable in certmgr, and the documentation for the webservice also shows an example where only a .cer file is used.
The documentation for the webservice is, however, for .NET 1.1 and X509Certificate, and I'm trying to use .NET 2.0.
I have also experimented with using "Add service reference" instead of "Add web reference", but I don't know if that gives me any additional options...
"Joe Kaplan" wrote: > Do you have a p12 or pfx file that contains the certificate and private key > instead?
> What I'm guessing is happening is that you supply the .cer file and .NET > uses that to locate the matching certificate installed in the local store > and then tries to access the private key in the local store to do the client > auth but it does not use the password you supplied to access the key because > that particular constructor is designed to use a stand alone p12 file and > use the password to open it.
> Just a guess...
> -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > "kejster" <kejs...@discussions.microsoft.com> wrote in message > news:329232C8-3E99-4FF7-B607-A5E9B9536118@microsoft.com... > > I'm trying to talk to a webservice that requires a certificate. I have > > generated a .CER file using certmgr. > > My code looks like this:
> > ServicePointManager.ServerCertificateValidationCallback = New > > RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate)
> > certificate = New X509Certificate2(certFile, password)
> > service.ClientCertificates.Add(certificate)
> > resultString = service.DoSomething()
> > However, when my code reaches the line where I actually call the > > webservice, > > I am prompted with a dialog that asks me to enter my password (same as if > > I'd > > used the certificate to log into homebanking etc.).
> > I would like my application to run in the background, without requiring > > the > > user to enter the password every time the webservice is called.
Would it make any difference if I loaded the certificate from the local store? That would also be viable in my scenario.
Like so?:
Dim certificate As New X509Certificate Dim store As New X509Store(StoreName.My, StoreLocation.CurrentUser) ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate) store.Open(OpenFlags.ReadOnly) Try Dim Results As X509CertificateCollection = store.Certificates.Find(X509FindType.FindBySubjectName, "THE COMMON NAME HERE", False) If Results.Count = 0 Then Throw New Exception("Unable to find certificate!") Else certificate = Results(0) End If Finally store.Close() End Try service.Url = ConfigurationManager.AppSettings.Get("ServiceURL") service.ClientCertificates.Add(certificate) resultString = service.DoSomething()
And how would i supply the password for the private key there?
"Joe Kaplan" wrote: > Do you have a p12 or pfx file that contains the certificate and private key > instead?
> What I'm guessing is happening is that you supply the .cer file and .NET > uses that to locate the matching certificate installed in the local store > and then tries to access the private key in the local store to do the client > auth but it does not use the password you supplied to access the key because > that particular constructor is designed to use a stand alone p12 file and > use the password to open it.
> Just a guess...
> -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > "kejster" <kejs...@discussions.microsoft.com> wrote in message > news:329232C8-3E99-4FF7-B607-A5E9B9536118@microsoft.com... > > I'm trying to talk to a webservice that requires a certificate. I have > > generated a .CER file using certmgr. > > My code looks like this:
> > ServicePointManager.ServerCertificateValidationCallback = New > > RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate)
> > certificate = New X509Certificate2(certFile, password)
> > service.ClientCertificates.Add(certificate)
> > resultString = service.DoSomething()
> > However, when my code reaches the line where I actually call the > > webservice, > > I am prompted with a dialog that asks me to enter my password (same as if > > I'd > > used the certificate to log into homebanking etc.).
> > I would like my application to run in the background, without requiring > > the > > user to enter the password every time the webservice is called.
I'm not really sure on this one. The CspParameters class has a KeyPassword property you can specify. I don't know if that works with local keys protected by password.
If so, you could try to find a way to get the RSACryptoServiceProvider associated with your certificate's private key and import that setting from ImportParameters.
Maybe someone else has a better idea as well.
-- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
"kejster" <kejs...@discussions.microsoft.com> wrote in message
> Would it make any difference if I loaded the certificate from the local > store? > That would also be viable in my scenario.
> Like so?:
> Dim certificate As New X509Certificate > Dim store As New X509Store(StoreName.My, StoreLocation.CurrentUser) > ServicePointManager.ServerCertificateValidationCallback = New > RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate) > store.Open(OpenFlags.ReadOnly) > Try > Dim Results As X509CertificateCollection = > store.Certificates.Find(X509FindType.FindBySubjectName, "THE COMMON NAME > HERE", False) > If Results.Count = 0 Then > Throw New Exception("Unable to find certificate!") > Else > certificate = Results(0) > End If > Finally > store.Close() > End Try > service.Url = ConfigurationManager.AppSettings.Get("ServiceURL") > service.ClientCertificates.Add(certificate) > resultString = service.DoSomething()
> And how would i supply the password for the private key there?
> Regards, Kejster.
> "Joe Kaplan" wrote:
>> Do you have a p12 or pfx file that contains the certificate and private >> key >> instead?
>> What I'm guessing is happening is that you supply the .cer file and .NET >> uses that to locate the matching certificate installed in the local store >> and then tries to access the private key in the local store to do the >> client >> auth but it does not use the password you supplied to access the key >> because >> that particular constructor is designed to use a stand alone p12 file and >> use the password to open it.
>> Just a guess...
>> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> "kejster" <kejs...@discussions.microsoft.com> wrote in message >> news:329232C8-3E99-4FF7-B607-A5E9B9536118@microsoft.com... >> > I'm trying to talk to a webservice that requires a certificate. I have >> > generated a .CER file using certmgr. >> > My code looks like this:
>> > certificate = New X509Certificate2(certFile, password)
>> > service.ClientCertificates.Add(certificate)
>> > resultString = service.DoSomething()
>> > However, when my code reaches the line where I actually call the >> > webservice, >> > I am prompted with a dialog that asks me to enter my password (same as >> > if >> > I'd >> > used the certificate to log into homebanking etc.).
>> > I would like my application to run in the background, without requiring >> > the >> > user to enter the password every time the webservice is called.
The requirement for the password is an attribute of the certificate. You probably will not be able to add a clear-text-format password to a certificate you have loaded in memory. This is usually handled by client software that will protect the clear-text password.
The requirement for a certificate in the first place is the web service. If the web service will specifically require a particular certificate that is designed to require a password you will probably not be able to get around it.
However, if the web service only requires a certificate from a particular Cert Authority perhaps you can get one of these Application Certificates that do not require a password.
These you can load from the cert store on a web server to, for example, access a web service on another server that only allows/authenticates access with a certificate. I have had to deal with this kind of situation with smart cards before.
Joe Kaplan wrote:
Re: Password for certificate 02-Oct-09
I'm not really sure on this one. The CspParameters class has a KeyPassword property you can specify. I don't know if that works with local keys protected by password.
If so, you could try to find a way to get the RSACryptoServiceProvider associated with your certificate's private key and import that setting from ImportParameters.
Maybe someone else has a better idea as well.
-- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
"kejster" <kejs...@discussions.microsoft.com> wrote in message
Just a follow-up on this, since I finally figured it out.
The problem was, as described by Joe Kaplan, that my cer-file did not have the private key, and somehow, ot would look in the local store, which in my case was a CSP from a company called DanID here in Denmark.
The solution to getting a file I can use in my application is:
Use the CSP to generate a backup of the certificate. This generates a HTML-file with, among other things, an entry called pkcs12="..........
So, I copied the string between the quotes to a new file, split it into lines of 64 characters, and used openssl to decode it:
I then removed the CSP software, and imported the pkcs file into FireFox.
Then, I used FireFox to create a backup of the certificate, which came out as a p12 file, that now works with my app, using the X509Certificate2 constructor:
X509Certificate2 cert = new X509Certificate2("c:\test\ds.p12", "passwordhere");
Thanks for the follow up. I was hoping someone would find a good solution to passing a password to the CSP, but this is a viable work around if you have a p12!
-- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
"kejster" <kejs...@discussions.microsoft.com> wrote in message
> Just a follow-up on this, since I finally figured it out.
> The problem was, as described by Joe Kaplan, that my cer-file did not have > the private key, and somehow, ot would look in the local store, which in > my > case was a CSP from a company called DanID here in Denmark.
> The solution to getting a file I can use in my application is:
> Use the CSP to generate a backup of the certificate. This generates a > HTML-file with, among other things, an entry called pkcs12="..........
> So, I copied the string between the quotes to a new file, split it into > lines of 64 characters, and used openssl to decode it:
> I then removed the CSP software, and imported the pkcs file into FireFox.
> Then, I used FireFox to create a backup of the certificate, which came out > as a p12 file, that now works with my app, using the X509Certificate2 > constructor:
> X509Certificate2 cert = new X509Certificate2("c:\test\ds.p12", > "passwordhere");
|
