Solved

.pfx and .cer file, to access Web services

Posted on 2009-07-14
8
2,333 Views
Last Modified: 2013-11-18
Hello Experts,

I have been provided with .cer (SSL Certificate )and .pfx( Digital Signing Certificate) file by the vendor to connect to an external Webservice through my client.
I want to know more information on how these files work?? I just ran them on my machine by double clicking them but Do I need to code in my client (VC++ application) for them to work?
Please let me know.

Thanks
Roop
0
Comment
Question by:rbhargaw
  • 5
  • 3
8 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24850045
a CER is a x509 certificate - the same as you can see for any https website by clicking on the padlock icon.

The PFX is a special case, in that it contains both one or more CER files, plus a private keyfile which can be used to decrypt messages encrypted using the encryption key embodied in the CER file.

the CER will be the issuing root certificate, and will be added to the root certificate store of your IE by double clicking it - this will allow you to check the website's certificate is valid (and as a side effect, allows that customer to fake certificates for any website he chooses, and your web browser will accept them as valid)

the PFX will be a client validation certificate, and its matching keyfile. your webbrowser will automatically respond to a request for a client certificate by offering the CER file embedded in the PFX to the remote server. it will prove ownership by correctly responding to a request based on the encryption key in that CER file, using the secret keyfile to decrypt the traffic.

depending on what library your c++ application uses for https, you may or may not have to import them to some other keystore - for example java applets need them importing to the java keystore, but most calls to microsoft libraries just use the windows (internet explorer) keystore which is the default for double-clicking.
0
 

Author Comment

by:rbhargaw
ID: 24852550
Thanks Dave for the explanation.

Actually I have used OpenSSL libraries and Wsse in the C++ code to connect to their sample web service.

While coding I used ".pk8" or "".pem"for the testing but never used the .pfx or .cer file provided by vendor to connect. Hence I am wondering if I need to import them?

Thanks

char *keyfile = "C:\\test.pk8";

 char *password = "pass";
 

char *keyfile1 = "C:\\test1.pem";
 
 

BIO *bio;

EVP_PKEY *pkey;
 

bio = BIO_new( BIO_s_file() );

BIO_read_filename( bio, keyfile );
 
 

pkey = PEM_read_bio_PrivateKey( bio, NULL, NULL, password );

if (!pkey) 

	{

	ERR_print_errors_fp(stderr);	

	exit(1);

	}

//BIO_free_all(bio);
 

BIO *bio1;

bio1 = BIO_new( BIO_s_file() );

BIO_read_filename( bio1, keyfile1 );

X509 *cert = PEM_read_bio_X509(bio1, NULL, NULL, NULL);

if (!cert) {

		ERR_print_errors_fp(stderr);	exit(1); 

}

//BIO_free_all(bio1);

//----------------------------------------------------------------------------------
 

	VfswsBinding b = VfswsBinding();

soap_omode(b.soap, SOAP_XML_CANONICAL);

	// Set the Endpoint

CString urlConfig = GetURL();

	b.endpoint = urlConfig;
 
 
 

	 soap_register_plugin(b.soap, soap_wsse); // Register the wsse plugin in the SOAP context
 

	soap_wsse_add_UsernameTokenText(b.soap, "Id", "user", "pass");
 

	int ret1 = soap_wsse_add_BinarySecurityTokenX509(b.soap, "X509Token", cert);

	int ret2 = soap_wsse_add_KeyInfo_SecurityTokenReferenceX509(b.soap, "#X509Token");

	int ret3 = soap_wsse_sign_body(b.soap, SOAP_SMD_SIGN_RSA_SHA1, pkey, 0);

	if (ret1 || ret2 || ret3){

		soap_print_fault(b.soap, stderr);

		soap_print_fault_location(b.soap, stderr);

		printf("ret1=%d  ret2=%d  ret3=%d\n",ret1,ret2,ret3);

		exit(1);

	}
 

		soap_ssl_init(); // init OpenSSL (just once)

		if (soap_ssl_client_context(b.soap,

//			SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION , // Use for testing only

//			Use the option below for all Web services

			(SOAP_SSL_SKIP_HOST_CHECK | SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION),

//			SOAP_SSL_NO_AUTHENTICATION, // Included for testing.

			NULL, //keyfile: required only when client must authenticate to server

			NULL, // password for the keyfile

			// path to file where trusted certificates are stored (needed to verify server)

			"C:\\service.pem",

			NULL, // capath to direcoty with trusted certificates

			NULL // if randfile!=NULL: use a file with random data to seed randomness

			))

		{

			soap_print_fault(b.soap, stderr);

			exit(1);

		}

Open in new window

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24855501
If you are using a PEM encoded secret key file and cert file currently via the openssl libraries, you should probably open the pfx in the openssl command line tool (or xca - http://sourceforge.net/projects/xca ) and re-export in that format.
0
 

Author Comment

by:rbhargaw
ID: 24863310
I ran the command:

openssl pkcs12 -in mycert.pfx -out mycert.pem
openssl pkcs8 -in mycert.pem -topk8 -out mycert.pk8

and was able to generate pem file and pk8 file. So I am assuming I will use them here in the code
------------------------------------------------------
char *keyfile = "C:\\test.pk8";
 
char *keyfile1 = "C:\\test1.pem";
-----------------------------------------------

Can you tell me what should be in "C:\\service.pem" as referenced in the code under soap_ssl_client_context?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:rbhargaw
ID: 24863366
Will "C:\\service.pem" be the ".cer" file provided by vendor  as I can convert ".cer" to ".pem"?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24863622
yes. should be the certificate for the server, or the root of its certificate chain, for verification purposes.
0
 

Author Comment

by:rbhargaw
ID: 24864022
Thanks a lot Dave!
0
 

Author Closing Comment

by:rbhargaw
ID: 31603256
Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Online collaboration is quickly becoming embedded in the workplace, and its benefits are tangible. See what the current landscape looks like and what the future holds for collaboration tools and the future of work.
SASS allows you to treat your CSS code in a more OOP way. Let's have a look on how you can structure your code in order for it to be easily maintained and reused.
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now