Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Password for certificate

10 views
Skip to first unread message

kejster

unread,
Oct 1, 2009, 6:14:04 AM10/1/09
to
I'm trying to talk to a webservice that requires a certificate. I have
generated a .CER file using certmgr.
My code looks like this:

ServicePointManager.ServerCertificateValidationCallback = New
RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate)

certFile = ConfigurationManager.AppSettings.Get("CertificateFile")

password = ConfigurationManager.AppSettings.Get("CertPassword")

certificate = New X509Certificate2(certFile, password)

service.ClientCertificates.Add(certificate)

resultString = service.DoSomething()

However, when my code reaches the line where I actually call the webservice,
I am prompted with a dialog that asks me to enter my password (same as if I'd
used the certificate to log into homebanking etc.).

I would like my application to run in the background, without requiring the
user to enter the password every time the webservice is called.

Any suggestions?

Joe Kaplan

unread,
Oct 1, 2009, 10:17:32 PM10/1/09
to
Do you have a p12 or pfx file that contains the certificate and private key
instead?

What I'm guessing is happening is that you supply the .cer file and .NET
uses that to locate the matching certificate installed in the local store
and then tries to access the private key in the local store to do the client
auth but it does not use the password you supplied to access the key because
that particular constructor is designed to use a stand alone p12 file and
use the password to open it.

Just a guess...

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"kejster" <kej...@discussions.microsoft.com> wrote in message
news:329232C8-3E99-4FF7...@microsoft.com...

kejster

unread,
Oct 2, 2009, 3:13:01 AM10/2/09
to
That seems like a very reasonable assumption. How else would it know how to
show the same logon-dialog as when I use the signature to sign into a website.

The problem is, the private key is not exportable in certmgr, and the
documentation for the webservice also shows an example where only a .cer file
is used.

The documentation for the webservice is, however, for .NET 1.1 and
X509Certificate, and I'm trying to use .NET 2.0.

I have also experimented with using "Add service reference" instead of "Add
web reference", but I don't know if that gives me any additional options...

kejster

unread,
Oct 2, 2009, 3:30:01 AM10/2/09
to
Would it make any difference if I loaded the certificate from the local store?
That would also be viable in my scenario.

Like so?:

Dim certificate As New X509Certificate
Dim store As New X509Store(StoreName.My, StoreLocation.CurrentUser)


ServicePointManager.ServerCertificateValidationCallback = New
RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate)

store.Open(OpenFlags.ReadOnly)
Try
Dim Results As X509CertificateCollection =
store.Certificates.Find(X509FindType.FindBySubjectName, "THE COMMON NAME
HERE", False)
If Results.Count = 0 Then
Throw New Exception("Unable to find certificate!")
Else
certificate = Results(0)
End If
Finally
store.Close()
End Try
service.Url = ConfigurationManager.AppSettings.Get("ServiceURL")
service.ClientCertificates.Add(certificate)
resultString = service.DoSomething()

And how would i supply the password for the private key there?

Regards, Kejster.

Joe Kaplan

unread,
Oct 2, 2009, 4:53:08 AM10/2/09
to
I'm not really sure on this one. The CspParameters class has a KeyPassword
property you can specify. I don't know if that works with local keys
protected by password.

If so, you could try to find a way to get the RSACryptoServiceProvider
associated with your certificate's private key and import that setting from
ImportParameters.

Maybe someone else has a better idea as well.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"kejster" <kej...@discussions.microsoft.com> wrote in message

news:D5C0500A-526B-4131...@microsoft.com...

bradroberts

unread,
Oct 8, 2009, 3:21:06 PM10/8/09
to
The requirement for the password is an attribute of the certificate. You probably will not be able to add a clear-text-format password to a certificate you have loaded in memory. This is usually handled by client software that will protect the clear-text password.

The requirement for a certificate in the first place is the web service. If the web service will specifically require a particular certificate that is designed to require a password you will probably not be able to get around it.

However, if the web service only requires a certificate from a particular Cert Authority perhaps you can get one of these Application Certificates that do not require a password.

These you can load from the cert store on a web server to, for example, access a web service on another server that only allows/authenticates access with a certificate.
I have had to deal with this kind of situation with smart cards before.

Joe Kaplan wrote:

Re: Password for certificate
02-Oct-09

I'm not really sure on this one. The CspParameters class has a KeyPassword
property you can specify. I don't know if that works with local keys
protected by password.

If so, you could try to find a way to get the RSACryptoServiceProvider
associated with your certificate's private key and import that setting from
ImportParameters.

Maybe someone else has a better idea as well.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"kejster" <kej...@discussions.microsoft.com> wrote in message
news:D5C0500A-526B-4131...@microsoft.com...

EggHeadCafe - Software Developer Portal of Choice
Ping Webservice
http://www.eggheadcafe.com/tutorials/aspnet/68a17cdb-0869-4cb9-8286-aa998efc58b6/ping-webservice.aspx

kejster

unread,
Oct 29, 2009, 8:48:01 AM10/29/09
to
Just a follow-up on this, since I finally figured it out.

The problem was, as described by Joe Kaplan, that my cer-file did not have
the private key, and somehow, ot would look in the local store, which in my
case was a CSP from a company called DanID here in Denmark.

The solution to getting a file I can use in my application is:

Use the CSP to generate a backup of the certificate. This generates a
HTML-file with, among other things, an entry called pkcs12="..........

So, I copied the string between the quotes to a new file, split it into
lines of 64 characters, and used openssl to decode it:

openssl enc -d -a -in DS.b64 -out DS.pkcs12

(or:

awk -F \" '/^pkcs12=/ {print $2}' DS.html | fold -b -w 64 | openssl enc -d
-a > DS.pkcs12

)

I then removed the CSP software, and imported the pkcs file into FireFox.

Then, I used FireFox to create a backup of the certificate, which came out
as a p12 file, that now works with my app, using the X509Certificate2
constructor:

X509Certificate2 cert = new X509Certificate2("c:\test\ds.p12",
"passwordhere");

Phew!

Joe Kaplan

unread,
Oct 29, 2009, 7:23:47 PM10/29/09
to
Thanks for the follow up. I was hoping someone would find a good solution
to passing a password to the CSP, but this is a viable work around if you
have a p12!

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"kejster" <kej...@discussions.microsoft.com> wrote in message

news:624E1374-9B4A-4F61...@microsoft.com...

0 new messages