PFX cert with ScHttpWebRequest

[edbored]

I'm trying to duplicate a SoapUI query with a TScHttpWebRequest, unfortunately I'm a little confused with respect to how to use the components...

(Using Delphi Rio)

I was provided a certificate in pfx format, which I converted it to pem with:
openssl pkcs12 -in certfile.pfx -out certfile.pem

I dropped a TScFileStorage on a form, set the Path, and double clicked to get to editor.

In "Certificates" I created a new "cert1" entry, and did an "Import Key From" certfile.pem.

I then Exported public key to certfile.pub.

I went to Keys tab and did an Import From certfile.pub to "key1".


I dropped a TScHttpWebRequest on the form, and set:
- SSLOptions.Storage to ScFileStorage1,
- SSLOptions.ClientCertificateName to key1.key
- RequestURI to https://some_long_domain:443/some_resource
- Method to rmPOST
- ReadWriteTimeout to 100
- ContentType to application/xml

Based on a few postings here, I tried:

Code: Select all

procedure TfrmTestQA.btn1Click(Sender: TObject);
var
 Response: TScHttpWebResponse;
 ResponseStr: string;
 buf: TBytes;
 s856xml: string;

begin
   s856xml :=Get856Info(se1.AsInteger); // returns xml packet
   buf := TEncoding.UTF8.GetBytes(s856xml);
   ScHttpWebRequest1.ContentLength := Length(buf);
   ScHttpWebRequest1.WriteBuffer(buf);
   Response:=ScHttpWebRequest1.GetResponse;
   ResponseStr:=Response.ReadAsString;
end;

With version 9.02, I was getting Error 40 returned.
With version 9.1 I'm getting "The CRL is not valid".

I'm not sure that the steps I've taken to populate the FileStorage are correct, and I'm ever more clueless on how to apply the cert/key data to the ScHttpWebRequest.

Can I please get clarification?

Thanks.

[edbored]

I went through all the help docs again, and realized I need to do the following:

Just Import the .pem file as certificate in ScFileStorage1 (with default "cert1" name).
Set ScHttpWebRequest.SSLOptions.Storage to ScFileStorage1
Set ScHttpWebRequest.SSLOptions.ClientCertificateName to 'cert1'

Clearly I was overthinking (or underthinking/under-reading) things.

I've tried a number of things, but always receive:

If a certificate is specified, it must have a private key.

At this point, I'm wondering if there's a way to use pfx directly, or some information on how to verify the conversion from pfx to pem worked (there's a "-----BEGIN ENCRYPTED PRIVATE KEY-----" segment in the pem file).

EdB

[edbored]

I just had what I thought was a flash of the blindingly obvious - I took the pfx file and converted to the three PEM files:

openssl pkcs12 -in <filename.pfx> -nocerts -nodes -out <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain -out <cacerts.cer>

And imported the key (as cl_cert1_key), clientcert (as clCert1), and cacert into ScFileStorage.

I set SSLOptions.ClientCertificateName to clCert1;

Then modified the original code to load the key:

Code: Select all

 
   s856xml:=Get856Info(se1.AsInteger);
  buf := TEncoding.UTF8.GetBytes(s856xml);
  Cert:= ScFileStorage1.Certificates.FindCertificate('clCert1');
  if cert<>nil then
    cert.Key.ImportFrom('cl_cert1_key.key');

  ScHttpWebRequest1.ContentLength:=Length(buf);
  ScHttpWebRequest1.WriteBuffer(buf);
  try
    Response:=ScHttpWebRequest1.GetResponse;

I'm now getting The other side has sent a failure alert: [40].


I think I'm close - any suggestions?

[ViktorV]

Your code that imports a certificate and a private key associated with the certificate is correct.
In order for us to be able to give you a detailed answer, we need a sample demonstrating the behavior you mentioned. Therefore, please, compose a small sample demonstrating the described behavior and send it to us using the contact form https://devart.com/company/contactform.html

[edbored]

Thanks Viktor.

I have to get permission from "the server end" to expose their cert info - it might be a couple of days.

Can you comment on the OpenSSL command lines I used to convert then pfx to pem - then extracted the ca,cl, clkey?

Thanks again.

EdB

[ViktorV]

We think that those commands can be used to get the required files.

[edbored]

I finally got the right cert/key combination plugged in and working.

It POSTed and returned a response - once (every other time it complained about connection still open - that'll take some help-file reading to sort out).

I ended up having to convert the original pfx into cl_cert, ca_cert and key a couple of different ways.

I ended up using openssl s_client on command line to work out what worked and what failed:

Code: Select all

c:\openssl-win64\bin\openssl s_client -connect service-to-reach.com:443 -cert server.crt -showcerts -key server.key

I'll post the particular openssl pfx-to-pem and key commands I used (once I figure out which eventually worked!

[ViktorV]

Thank you for the interest to our product.
It is good to see that the issue has been solved.
If you have any questions during using our products, please don't hesitate to contact us - and we will try to help you solve them.