Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...


Client Certificate Support Update

Good news! It is now possible, using the Mono 2.0 profile, to use X.509 client certificates with HttpWebRequest.

Why such a restriction ? Because the original API was badly designed. It only accept X509Certificate and provided no way to supply the private key associated with the (public key of the) certificate.

Then how could this work on MS runtime ? Because certificates could be part of a certificate store (even if the store weren't exposed before fx 2.0). In this case CryptoAPI could have a link between the certificate store and the key store (if both were available simultaneously when imported). But it could fail too ;-)

What changed in 2.0 ? A new, more complete, class X509Certificate2 is available. This new class supports loading formats that includes private keys, e.g. PKCS#12 files - which means the private key, if available, can be used for the signing operation required by client certificates in SSL/TLS. Also the class inherits from the older X509Certificate, making it usable for HttpWebRequest.

So everything is fine now ? No, this still works only for 2.0 if you load a certificate with a private key. I.e. it won't work if you depend on CryptoAPI magic associations. Still this allows some new scenarios to work, including (but not tested) accessing web services with client certificates.

The wiki page, UsingClientCertificatesWithXSP, has been updated with sample code. Have fun!

5/10/2007 08:46:58 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.