Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

WinHttp SetClientCertificate 1

Status
Not open for further replies.
florindaniel

florindaniel

Programmer
Dec 4, 2009
120
RO
Hello,

I need to consume a web service via a WinHttp object.
It works, but the certificate used for the connection is set
via the SetClientCertificate method of that object and the parameter it accepts
is the Certificate Name, not the serial.

My problem appears when there is more than one certificate with the same name
since I know no other way to select the certificate and SetClientCertificate picks
the first record, even if the certificate I would like to use is the third, for example.

Thank you,
Daniel

 
Sort by date Sort by votes
Upvote 0 Downvote
Thank you Olaf, I've seen the param specs BUT.... I have NO idea where the location is!!??
Is some file/folder on the disk, are we talking about Registry Keys??
 
Upvote 0 Downvote
Judging from the sample code we talk about the registry.

Instead of LOCAL_MACHINE\\Personal\\My Middle-Tier Certificate we rather would know the registry key as "\Personal\My Middle-Tier Certificate" within the root key HKEY_LOCAL_MACHINE.

If you have a certificate file (cer or crt file perhaps) you have to install it into a certificate store, personal or system, as far as I know there are several. And it seems in the end the installation of a certificate puts it or a reference to it somewhere in the registry.

Bye, Olaf.
 
Upvote 0 Downvote
As we speak I am REGEDIT-ing and there's no Personal key in within HKEY_LOCAL_MACHINE :(
 
Upvote 0 Downvote
It's just a sample. There are many certificate stores. Trusted People, Trusted Vendors. The location of your certificate keys can generally only be shrinked down to either LOCAL_MACHINE or CURRENT_USER, see

MSDN said:
Location

Determines the registry key under which the certificates are stored.

The possible values are "LOCAL_MACHINE" to indicate that the certificate store is under HKEY_LOCAL_MACHINE and "CURRENT_USER" to indicate that the certificate store is under the non-impersonated HKEY_CURRENT_USER.
Click to expand...

MSDN said:
Certificate store

Indicates the name of the certificate store that contains the relevant certificate.

Typical certificate stores are "MY", "Root", and "TrustedPeople".
Click to expand...

and finally

MSDN said:
Subject name

Identifies a certificate within the specified certificate store. The first certificate that contains the string specified for this component is selected.

The subject name can be any string. A blank string indicates that the first certificate in the certificate store should be used. This component is case-insensitive.
Click to expand...

Since the overall registry locations including Location and certificate store are not very limiting where to search, a guess won't help, even an educated guess. So you/we have to find out what store the keys you need are stored in. As it's client side authentification certificates, that's a hint perhaps.

The management tool for over certificates in Windows is not the registry, but the mmc management console, more precise the Certificates snap-in.

Run mmc
in the management console use File (menu) -> Add/Remove snap-in to add the certificates snap-in.

But let me move some steps back and ask, what certificate name did you try so far? What do you have at hand, is it a cer file? You might just need to install the certificate appropriately and the rest will work automatically without even using the SetClientCertificate method. You might need to add a certificate in Internet Explorer in Internet Options, Content Certificates.

Bye, Olaf.
 
Upvote 0 Downvote
Thank you again Olaf; I'm illiterate concerning certificates :( so I don't even know what keys are you talking about?
the serial key of the certificate?

The certificates I use are installed, I suppose, because if I plug the USB token into my machine thei appear in Internet Explorer -> Tools -> Internet Options -> Content -> Certificates.
In SetClientCertificate i use the Certificate Name as shown in the properties window and this name is the name of the owner.
And HERE comes the problem since the same owner (i.e. the same name) has two certificates with two USB tokens.
SetClientCertificate automatically chooses the first one and I need the second one :(

I've also read the MSDN file but I don't know what to serch for in RegEdit!!

Thank you
 
Upvote 0 Downvote
key: The Registry is a hierarchical key/value store: Key is the registry path, value the end node value.

Well, if you go into Internet Explorer -> Tools -> Internet Options -> Content -> Certificates. There are tabs "Personal", "Other People", ...
If you see your certificates in some tab you already know the certificate store name as the tab caption.

Don't try to find this in the registry, I also have no "Personal" inside HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE.

What name did you tried so far from that list in the explorer? The Issued To name? I'd guess "Friendly Name" would be the certificate name, you can edit that, it might be displayed as <None>.

Put together CURRENT_USER/<<Tab name>>/<<Friendly Name>> and try that, then LOCAL_MACHINE/....

I'm also not very familiar with certificates, but have done a bit with code signing certificates. Not sure at all, but that's how I see it from the descriptions.

Bye, Olaf.


 
Upvote 0 Downvote
Thank you Olaf; I've finally what the name of the store is (Tab name). Mine is "Personal" indeed.
The name I've used is part of the "Subject" in Details tab and it's name is CN (I suppose that means Certificate Name).
As I've told you, if there-s only one certificate with CN=John Doe name there's no problem
but when I have two different certificates, both with CN=John Doe then the firs one is selected.

I understand you are suggesting to edit and change CN to James Doe, for example; I hope it will not
block the USB dongle :)

Thank you,
Daniel
 
Upvote 0 Downvote
No, I am not suggesting to change CN.

I was suggesting to change "Friendly Name", that's the rightmost column in the certificate list as it's displayed in the Internet Explorer Certificates Window Tab, even before you view the certificate in detail. For me that's mostly <None> for all certificates I see, unnamed.

When I view a certificate the Subject is identical to "Issued To", to whom the certificate is issued, that's surely not the certificate name. There is no CN for me in all certificate Subjects I can see. And when filtering for Client Authentication certificates I only have one certificate for Office365 issued to me, which has my mail address as the "Subject", but that's not the certificate name. For sure that Subject is repeated, if two or more certificates are issued to you, because that rather identifies you, not the certificate.

Friendly Name is in that detail list too, scroll down to the last entry. If that would not be accepted as the last part of the SetClientCertificate parameter, I don't know what the certificate name should be, but certainly not the subject nor Issued To or Issued From. Friendly Name is the only property resembling a certificate name.

Bye, Olaf.

 
Upvote 0 Downvote
I seem to remember similar problems in the past when client authentication certificates were registered with duplicate CN (Common Name) attributes in the Subject. I was using a suppliers Java application rather than something that I'd written in VFP but your symptoms are exactly the same. I had to manually re-register the certificate that I wanted to use each time, to make sure it was the one to be used.

Have a look at Wikipedia for X.509 and look in the implementation issues. It seems that just picking the first certificate is a common failing.

BTW You can also see your certificates in Internet Explorer (Internet options->Content tab->Certificates button).

Daniel, client certificates suck. You have my sympathies :(

Background

Some fields in a certificate (eg Subject) can have a number of attributes. CN is the Common Name (there are others like O for organisation, S for state, etc). You'll find CN attributes in other fields in the certificate too. If you look at some of the certificates in the Intermediate Certification Authorities store, you see some slightly more complicated Issuer and Subject fields that illustrate this.

Rob Spencer
Caliptor Pty Ltd
 
Upvote 0 Downvote
Thanks Rob,

that's new for me, too.

So the CN=... part of a certificate Subject is the certificate name and you really can have double names. I wonder if setting "friendly name" can override that and make SetClientCertificate pick the right one. If that's not the case can you manually re-register the certificate with a modified CN? Or would the swerver then not recognize this as the right certificate?

Bye, Olaf.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AlastairP
  • Locked
  • Question
WinHTTP.WinHTTPRequest error
Replies
9
Views
529
AlastairP
AlastairP
2shovels
  • Locked
  • Helpful tip
POSTing a binary file and two html form vars to a lamp server using WinHttp.WinHttprequest
Replies
0
Views
53
2shovels
2shovels
ToddWW
  • Locked
  • Question
winHttp Posting to a slow server
Replies
4
Views
50
Mike Gagnon
Mike Gagnon
ToddWW
  • Locked
  • Question
FoxPro and winHTTP5.1
Replies
1
Views
48
craigsboyd
craigsboyd

Part and Inventory Search

Sponsor

Back
Top