Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Sending POST over HTTPS using a Client Certificate with WinHttpRequest.5.1

8,695 views
Skip to first unread message

Greg

unread,
Jan 14, 2004, 12:53:45 PM1/14/04
to
Hi all,

The following snippet always return "A certificate is required to complete
client authentication" (.asp under IIS 5) :

Set WinHttp = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
WinHttp.Open "POST" ,"https://foo/bar.cgi", False
WinHttp.SetClientCertificate("Gregoire")
WinHttp.Send ("Some DATA to send")

The same request (https://foo/bar.cgi) under IE5 from the same machine :
- Prompts for selecting a certificate, I choose "Gregoire", which is the
only item in the list
- Says the originator of the certificate is not trusted, I confirm with
the OK button
- Displays the bar.cgi result correctly.

Any idea of how to send a given client certificate when posting with
WinHttpRequest.5.1 under asp/IIS5 ?

Thanks in advance,

Grégoire

Stephen Sulzer

unread,
Jan 14, 2004, 6:16:12 PM1/14/04
to
Hello,

Your client certificate needs to be located in a certificate store that your
ASP application can access. WinHTTP running in an ASP application will not
use the same certificate store that Internet Explorer uses. You need to use
the WinHTTP Certificate Configuration utility to import your client
certificate into the "Local Machine" cert store on your IIS server.

See the WinHTTP Cert Config utility documentation for more information:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

The WinHttpCertCfg.exe utility is part of the Windows Resource Toolkit,
available for free download at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

Once you've imported your client certificate into the Local Machine store,
you will need to change your SetClientCertificate method call to something
like this:

WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")

Finally, the "originator of the certificate is not trusted" problem you
mention with your certificate may cause additional problem (WinHTTP may
reject it), but I cannot be sure.


Regards,
Stephen

"Greg" <gregoi...@tsmgroup.com> wrote in message
news:ugcHUbs2...@TK2MSFTNGP10.phx.gbl...

Greg

unread,
Jan 15, 2004, 11:19:59 AM1/15/04
to
That's it - Thanks !
I had to :

1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
8667-c748e422833f&displaylang=en

2. Launch mmc.exe

3. Add the Certificate SnapIn For Local Computer (only this one)

4. Add My certificate into the Personal Store

5. Issue the following command under command prompt :
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "MyCertificateSubjectName" -a
IWAM_MachineName

At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).

6. So I had to add the second certificate (the provider's public key) into
the Trusted Root Certification Authorities via the MMC

And now, I have a :
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).

So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.

Greg


"Stephen Sulzer" <sasulzer_at_seanet.com> a écrit dans le message news:
100bje9...@corp.supernews.com...

Stephen Sulzer

unread,
Jan 15, 2004, 4:34:28 PM1/15/04
to
Greg,

The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with the
server's certificate, not with your client certificate. If it is a problem
with the server's certificate, you can instruct WinHTTP to ignore the
problem as a workaround. This is done by setting a 'SSLErrorIgnoreFlags'
option:

Const Option_SSLErrorIgnoreFlags = 4

Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above

WinHttp.Option(Option_SSLErrorIgnoreFlags) = SslErrorFlag_Ignore_All


WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")

WinHttp.Send

For documentation on the SSLErrorIgnoreFlags option, see the following:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttprequestoption.asp

Hope that helps.

Stephen

"Greg" <gregoi...@tsmgroup.com> wrote in message

news:uIiYYL42...@TK2MSFTNGP10.phx.gbl...

Greg

unread,
Jan 16, 2004, 3:51:24 AM1/16/04
to
Thanks Stephen,
I had the Option_SSLErrorIgnoreFlags set to 5 as described in the
WinHttpRequestOption enum at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/winhttprequestoption.asp

But there seems to be an inversion in this enum, as far as
Option_SSLErrorIgnoreFlags should be set to 4 instead !

N.B. : By adding the Option with 100H, I could also got rid of the CA
certificate.


Everything is working fine now !
Thanks again,

Greg


"Stephen Sulzer" <sasulzer_at_seanet.com> a écrit dans le message news:

100e1rj...@corp.supernews.com...

Frank Schwieterman [MSFT]

unread,
Jan 19, 2004, 5:42:02 PM1/19/04
to
Hi Greg I'm glad you were to get things working. I'd like to followup
though about the issue you saw with the enum being inverted as I don't
understand the problem as stated. It sounds like you think you found a bug
though? Can you expand a bit on the behavior you think was bug, and let me
know what you expected and what you saw?

--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Greg" <gregoi...@tsmgroup.com> wrote in message

news:uX1dY1A3...@TK2MSFTNGP12.phx.gbl...

Greg

unread,
Jan 20, 2004, 11:25:07 AM1/20/04
to
Hi Frank, and thanks for your interest.

Let me be clearer about this issue.
In the following page, you find the WinHttpRequestOption described.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/winhttprequestoption.asp
I'm assuming this Enum being is zero based. This is confirmed by the VB
snippet at the bottom of the following page :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/iwinhttprequest_option.asp
which states :
Const WinHttpRequestOption_UserAgentString = 0
Const WinHttpRequestOption_URL = 1
Const WinHttpRequestOption_URLCodePage = 2
Const WinHttpRequestOption_EscapePercentInURL = 3

So, I assume the following is true :
WinHttpRequestOption_EnableCertificateRevocationCheck == 4
WinHttpRequestOption_SslErrorIgnoreFlags == 5

Which is wrong, as far as WinHttpRequestOption_SslErrorIgnoreFlags == 4

;-))

Please let us know !

Thnx !

Greg


"Frank Schwieterman [MSFT]" <fsch...@online.microsoft.com> a écrit dans le
message news: #nR$x1t3D...@TK2MSFTNGP10.phx.gbl...

Stephen Sulzer

unread,
Jan 22, 2004, 6:50:08 PM1/22/04
to
The authoritative source for the values of the WinHttpRequestOption enums is
the httprequest.idl file in the Platform SDK. The ordering of the enums in
the IDL file determines their values. Unfortunately the on-line
documentation lists them in the incorrect order w.r.t. the
EnableCertificateRevocationCheck option.

From the httprequest.idl file :


enum WinHttpRequestOption
{
WinHttpRequestOption_UserAgentString, // 0
WinHttpRequestOption_URL, // 1
WinHttpRequestOption_URLCodePage, // 2
WinHttpRequestOption_EscapePercentInURL, // 3
WinHttpRequestOption_SslErrorIgnoreFlags, // 4
WinHttpRequestOption_SelectCertificate, // 5
WinHttpRequestOption_EnableRedirects, // 6
WinHttpRequestOption_UrlEscapeDisable, // 7
WinHttpRequestOption_UrlEscapeDisableQuery, // 8
WinHttpRequestOption_SecureProtocols, // 9
WinHttpRequestOption_EnableTracing, // 10
WinHttpRequestOption_RevertImpersonationOverSsl, // 11
WinHttpRequestOption_EnableHttpsToHttpRedirects, // 12
WinHttpRequestOption_EnablePassportAuthentication,// 13
WinHttpRequestOption_MaxAutomaticRedirects, // 14
WinHttpRequestOption_MaxResponseHeaderSize, // 15
WinHttpRequestOption_MaxResponseDrainSize, // 16
WinHttpRequestOption_EnableHttp1_1, // 17
WinHttpRequestOption_EnableCertificateRevocationCheck // 18
} WinHttpRequestOption;


Stephen


"Greg" <gregoi...@tsmgroup.com> wrote in message

news:el#ziF33D...@TK2MSFTNGP11.phx.gbl...

Frank Schwieterman [MSFT]

unread,
Jan 30, 2004, 1:42:52 PM1/30/04
to
Greg it looks like Stephen identified the issue and I'm going to get a doc
bug open on that. But if it was something else, do let me know.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Greg" <gregoi...@tsmgroup.com> wrote in message

news:el%23ziF33...@TK2MSFTNGP11.phx.gbl...

Greg

unread,
Feb 5, 2004, 8:46:06 AM2/5/04
to
You got it guys !
Thnx !
Greg

"Frank Schwieterman [MSFT]" <fsch...@online.microsoft.com> a écrit dans le

message news: eUwfbD25...@TK2MSFTNGP11.phx.gbl...

juninaw...@gmail.com

unread,
Feb 5, 2020, 11:52:05 AM2/5/20
to
How i can find my client certificate in my computer
0 new messages