.pfx and .cer file, to access Web services

Hello Experts,

I have been provided with .cer (SSL Certificate )and .pfx( Digital Signing Certificate) file by the vendor to connect to an external Webservice through my client.
I want to know more information on how these files work?? I just ran them on my machine by double clicking them but Do I need to code in my client (VC++ application) for them to work?
Please let me know.

Thanks
Roop
rbhargawFounderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
a CER is a x509 certificate - the same as you can see for any https website by clicking on the padlock icon.

The PFX is a special case, in that it contains both one or more CER files, plus a private keyfile which can be used to decrypt messages encrypted using the encryption key embodied in the CER file.

the CER will be the issuing root certificate, and will be added to the root certificate store of your IE by double clicking it - this will allow you to check the website's certificate is valid (and as a side effect, allows that customer to fake certificates for any website he chooses, and your web browser will accept them as valid)

the PFX will be a client validation certificate, and its matching keyfile. your webbrowser will automatically respond to a request for a client certificate by offering the CER file embedded in the PFX to the remote server. it will prove ownership by correctly responding to a request based on the encryption key in that CER file, using the secret keyfile to decrypt the traffic.

depending on what library your c++ application uses for https, you may or may not have to import them to some other keystore - for example java applets need them importing to the java keystore, but most calls to microsoft libraries just use the windows (internet explorer) keystore which is the default for double-clicking.
0
rbhargawFounderAuthor Commented:
Thanks Dave for the explanation.

Actually I have used OpenSSL libraries and Wsse in the C++ code to connect to their sample web service.

While coding I used ".pk8" or "".pem"for the testing but never used the .pfx or .cer file provided by vendor to connect. Hence I am wondering if I need to import them?

Thanks

char *keyfile = "C:\\test.pk8";
 char *password = "pass";
 
char *keyfile1 = "C:\\test1.pem";
 
 
BIO *bio;
EVP_PKEY *pkey;
 
bio = BIO_new( BIO_s_file() );
BIO_read_filename( bio, keyfile );
 
 
pkey = PEM_read_bio_PrivateKey( bio, NULL, NULL, password );
if (!pkey) 
	{
	ERR_print_errors_fp(stderr);	
	exit(1);
	}
//BIO_free_all(bio);
 
BIO *bio1;
bio1 = BIO_new( BIO_s_file() );
BIO_read_filename( bio1, keyfile1 );
X509 *cert = PEM_read_bio_X509(bio1, NULL, NULL, NULL);
if (!cert) {
		ERR_print_errors_fp(stderr);	exit(1); 
}
//BIO_free_all(bio1);
//----------------------------------------------------------------------------------
 
	VfswsBinding b = VfswsBinding();
soap_omode(b.soap, SOAP_XML_CANONICAL);
	// Set the Endpoint
CString urlConfig = GetURL();
	b.endpoint = urlConfig;
 
 
 
	 soap_register_plugin(b.soap, soap_wsse); // Register the wsse plugin in the SOAP context
 
	soap_wsse_add_UsernameTokenText(b.soap, "Id", "user", "pass");
 
	int ret1 = soap_wsse_add_BinarySecurityTokenX509(b.soap, "X509Token", cert);
	int ret2 = soap_wsse_add_KeyInfo_SecurityTokenReferenceX509(b.soap, "#X509Token");
	int ret3 = soap_wsse_sign_body(b.soap, SOAP_SMD_SIGN_RSA_SHA1, pkey, 0);
	if (ret1 || ret2 || ret3){
		soap_print_fault(b.soap, stderr);
		soap_print_fault_location(b.soap, stderr);
		printf("ret1=%d  ret2=%d  ret3=%d\n",ret1,ret2,ret3);
		exit(1);
	}
 
		soap_ssl_init(); // init OpenSSL (just once)
		if (soap_ssl_client_context(b.soap,
//			SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION , // Use for testing only
//			Use the option below for all Web services
			(SOAP_SSL_SKIP_HOST_CHECK | SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION),
//			SOAP_SSL_NO_AUTHENTICATION, // Included for testing.
			NULL, //keyfile: required only when client must authenticate to server
			NULL, // password for the keyfile
			// path to file where trusted certificates are stored (needed to verify server)
			"C:\\service.pem",
			NULL, // capath to direcoty with trusted certificates
			NULL // if randfile!=NULL: use a file with random data to seed randomness
			))
		{
			soap_print_fault(b.soap, stderr);
			exit(1);
		}

Open in new window

0
Dave HoweSoftware and Hardware EngineerCommented:
If you are using a PEM encoded secret key file and cert file currently via the openssl libraries, you should probably open the pfx in the openssl command line tool (or xca - http://sourceforge.net/projects/xca ) and re-export in that format.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

rbhargawFounderAuthor Commented:
I ran the command:

openssl pkcs12 -in mycert.pfx -out mycert.pem
openssl pkcs8 -in mycert.pem -topk8 -out mycert.pk8

and was able to generate pem file and pk8 file. So I am assuming I will use them here in the code
------------------------------------------------------
char *keyfile = "C:\\test.pk8";
 
char *keyfile1 = "C:\\test1.pem";
-----------------------------------------------

Can you tell me what should be in "C:\\service.pem" as referenced in the code under soap_ssl_client_context?
0
rbhargawFounderAuthor Commented:
Will "C:\\service.pem" be the ".cer" file provided by vendor  as I can convert ".cer" to ".pem"?
0
Dave HoweSoftware and Hardware EngineerCommented:
yes. should be the certificate for the server, or the root of its certificate chain, for verification purposes.
0
rbhargawFounderAuthor Commented:
Thanks a lot Dave!
0
rbhargawFounderAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Languages and Standards

From novice to tech pro — start learning today.