I have an external API that I'm using: https://example.com/. When browsing to this, I get a popup that asks for a certificate, which I have as a .pfx file (or in my keychain as a .cer). I accept that they access the certificate and sign it with my private key and voilà - I can access the page.
Now what I want to be able to do is do this in AngularJS. What I have tried so far is:
$http.get("https://example.com/");
Response:
Failed to load resource: The server ”...” did not accept the certificate. - I translated this from another language, just so you know.
What I want to do is to somehow send the .pfx file in the $http request. How do I do this?
I solved this by doing it in node.js instead, where there are options for certificates. I used pfx and passphrase and that was it. I however don't know if this is possible to do in AngularJS.
Related
Problem:
Sending a request from Azure-API-Management to a SOAP-webservice using client certificate authentication, results in a 401-response, whereas I would like to get a 200-response.
Cause: When I use the same keystore (pfx) in SoapUI all goes well and I do receive the 200-response. So the certificates and key in the pfx are valid. Because Basic Authentication in APIM does allow me to connect to the webservice, the cause must be that something goes wrong with sending the client-certificate from API-Management to the webservice.
Attempt to solve: I would like to try sending the certificate to the backend using this policy so I can hopefully pass the authentication:
<authentication-certificate body="#(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))" password="optional-certificate-password" />
Where I am currently stuck:
How can I convert my PFX file (containing 4 certificates and a key) to a byte array so that I can use it in API-Management?
i'm looking for a solution for 4 days but i have found nothing.
What i want is to get an access token from my Identity Server with a client_credentials grant_type. I found that you can do this but nowhere is explained how to make the certificates, how the request is made etc.
I tried a lot of ways but with no success.
From the documentation:Our default private key JWT secret validator expects the full (leaf) certificate as base64 on the secret definition. This certificate will then be used to validate the signature on the self-signed JWT . That base64 is the content of the .cert file i believe. On the request should i put the .pfx file in base64 too?
Are there any changes that i need to make on the program.cs file for the Kestrel? I found this too, but all are outdated and doesn't work.
Now i'm trying with postman, after this everything should be called from an Azure Logic App.
I followed this example : but doesn't work.
The error:
Postman:
Program.cs
And the Config.cs from Identity
I will be very glad if you can help. Thanks in advance
As said you can use a client secret instead of a client certificate which is more common/easier. If you really need certificate authentication: I found more information on http://docs.identityserver.io/en/latest/topics/mtls.html
I'm building a web service to allow salesforce to call to it, the two way SSL is used for security, and salesforce has provided its client certificate: sfdc-client.cert.
In order to test whether salesforce client certificate work or not, I have setup a very simple web on MAC apache and enable SSL and client authentication on ssl config file /etc/apache2/extra/httpd-ssl.conf as below (use self-signed):
SSLCertificateFile "/private/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/private/etc/apache2/ssl/server.key"
SSLCACertificateFile "/private/etc/apache2/ssl/sfdc-client.cert"
SSLVerifyClient require
SSLVerifyDepth 10
The first browsing by Chrome, I got "SSL Connection Error", I supposed it's correct in this case.
Then, I have tried to import sfdc-client.cert to key chain access, but it does not work at all because it just supports p12/pfx format.
I also tried to use CURL:
curl https://test.com --cert-type der --cert sfdc-client.cert
but got the error:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
I'm totally newbie on this stuff, does anyone know how to test client certificate to make sure it works as above?
First you need to have both the client's certificate and certificate private key to be able to test 2-way SSL authentication.
To test with web browser, follow instructions here: Is there a way to test 2 way ssl through browser?
I need to make an ajax call to a server which uses a self-signed certificate.
Using the --insecure option does in curl helps in doing so.
But i need to make ajax calls, much like the $http requests in angular js. Are there any headers that can be set so that the error of the certificate does not arise.
There is a very hackish way in which you can point your browser in the direction of the server resource. This will prompt you to proceed with caution and upon proceeding anyway (try it with Chrome), your queries to the server should now work since the browser will now remember that that particular certificate is okay. I had this issue in the last project I worked on with self signed certs.
I'd like to use the URL fetch service for app engine (java). I'm just sending a POST to one of my own servers from a servlet.
AppEngine -> post-to: https://www.myotherserver.com/scripts/log.php
I'm reading the url fetch doc:
Secure Connections and HTTPS
An app can fetch a URL with the HTTPS method to connect to secure servers. Request and response data are transmitted over the network in encrypted form.
The proxy the URL Fetch service uses cannot authenticate the host it is contacting. Because there is no certificate trust chain, the proxy accepts all certificates, including self-signed certificates. The proxy server cannot detect "man in the middle" attacks between App Engine and the remote host when using HTTPS.
I don't understand - the first paragraph makesit sound like everything that goes from the servlet on app engine, to my php script is going to be secure if I use https. The second paragraph makes it sound like the opposite, that it won't actually be secure. Which is it?
Thanks
There are two things HTTPS does for you. One is to encrypt your data so that as it travels over the internet, through various routers and switches, no one can peek at it. The second thing HTTPS does is authenticate that you are actually talking to a certain server. This is the part App Engine can't do. If you were trying to connect to www.myotherserver.com, it is possible that some bad guy named bob could intercept your connection, and pretend to be www.myotherserver.com. Everything you sent to bob would be encrypted on it's way to bob, but bob himself would be able to get the unencrypted data.
In your case, it sounds like you control both the sending server and the destination server, so you could encrypt your data with a shared secret to protect against this possibility.
The UrlFetch through https has been fixed allowing certificate server validation.
validate_certificate
A value of True instructs the application to send a request to the
server only if the certificate is
valid and signed by a trusted CA, and
also includes a hostname that matches
the certificate. A value of False
instructs the application to perform
no certificate validation. A value of
None defaults to the underlying
implementation of URL Fetch. The
underlying implementation currently
defaults to False, but will default to
True in the near future.