Solved

.pfx and .cer file, to access Web services

Posted on 2009-07-14
8
2,371 Views
Last Modified: 2013-11-18
Hello Experts,

I have been provided with .cer (SSL Certificate )and .pfx( Digital Signing Certificate) file by the vendor to connect to an external Webservice through my client.
I want to know more information on how these files work?? I just ran them on my machine by double clicking them but Do I need to code in my client (VC++ application) for them to work?
Please let me know.

Thanks
Roop
0
Comment
Question by:rbhargaw
  • 5
  • 3
8 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24850045
a CER is a x509 certificate - the same as you can see for any https website by clicking on the padlock icon.

The PFX is a special case, in that it contains both one or more CER files, plus a private keyfile which can be used to decrypt messages encrypted using the encryption key embodied in the CER file.

the CER will be the issuing root certificate, and will be added to the root certificate store of your IE by double clicking it - this will allow you to check the website's certificate is valid (and as a side effect, allows that customer to fake certificates for any website he chooses, and your web browser will accept them as valid)

the PFX will be a client validation certificate, and its matching keyfile. your webbrowser will automatically respond to a request for a client certificate by offering the CER file embedded in the PFX to the remote server. it will prove ownership by correctly responding to a request based on the encryption key in that CER file, using the secret keyfile to decrypt the traffic.

depending on what library your c++ application uses for https, you may or may not have to import them to some other keystore - for example java applets need them importing to the java keystore, but most calls to microsoft libraries just use the windows (internet explorer) keystore which is the default for double-clicking.
0
 

Author Comment

by:rbhargaw
ID: 24852550
Thanks Dave for the explanation.

Actually I have used OpenSSL libraries and Wsse in the C++ code to connect to their sample web service.

While coding I used ".pk8" or "".pem"for the testing but never used the .pfx or .cer file provided by vendor to connect. Hence I am wondering if I need to import them?

Thanks

char *keyfile = "C:\\test.pk8";
 char *password = "pass";
 
char *keyfile1 = "C:\\test1.pem";
 
 
BIO *bio;
EVP_PKEY *pkey;
 
bio = BIO_new( BIO_s_file() );
BIO_read_filename( bio, keyfile );
 
 
pkey = PEM_read_bio_PrivateKey( bio, NULL, NULL, password );
if (!pkey) 
	{
	ERR_print_errors_fp(stderr);	
	exit(1);
	}
//BIO_free_all(bio);
 
BIO *bio1;
bio1 = BIO_new( BIO_s_file() );
BIO_read_filename( bio1, keyfile1 );
X509 *cert = PEM_read_bio_X509(bio1, NULL, NULL, NULL);
if (!cert) {
		ERR_print_errors_fp(stderr);	exit(1); 
}
//BIO_free_all(bio1);
//----------------------------------------------------------------------------------
 
	VfswsBinding b = VfswsBinding();
soap_omode(b.soap, SOAP_XML_CANONICAL);
	// Set the Endpoint
CString urlConfig = GetURL();
	b.endpoint = urlConfig;
 
 
 
	 soap_register_plugin(b.soap, soap_wsse); // Register the wsse plugin in the SOAP context
 
	soap_wsse_add_UsernameTokenText(b.soap, "Id", "user", "pass");
 
	int ret1 = soap_wsse_add_BinarySecurityTokenX509(b.soap, "X509Token", cert);
	int ret2 = soap_wsse_add_KeyInfo_SecurityTokenReferenceX509(b.soap, "#X509Token");
	int ret3 = soap_wsse_sign_body(b.soap, SOAP_SMD_SIGN_RSA_SHA1, pkey, 0);
	if (ret1 || ret2 || ret3){
		soap_print_fault(b.soap, stderr);
		soap_print_fault_location(b.soap, stderr);
		printf("ret1=%d  ret2=%d  ret3=%d\n",ret1,ret2,ret3);
		exit(1);
	}
 
		soap_ssl_init(); // init OpenSSL (just once)
		if (soap_ssl_client_context(b.soap,
//			SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION , // Use for testing only
//			Use the option below for all Web services
			(SOAP_SSL_SKIP_HOST_CHECK | SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION),
//			SOAP_SSL_NO_AUTHENTICATION, // Included for testing.
			NULL, //keyfile: required only when client must authenticate to server
			NULL, // password for the keyfile
			// path to file where trusted certificates are stored (needed to verify server)
			"C:\\service.pem",
			NULL, // capath to direcoty with trusted certificates
			NULL // if randfile!=NULL: use a file with random data to seed randomness
			))
		{
			soap_print_fault(b.soap, stderr);
			exit(1);
		}

Open in new window

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24855501
If you are using a PEM encoded secret key file and cert file currently via the openssl libraries, you should probably open the pfx in the openssl command line tool (or xca - http://sourceforge.net/projects/xca ) and re-export in that format.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:rbhargaw
ID: 24863310
I ran the command:

openssl pkcs12 -in mycert.pfx -out mycert.pem
openssl pkcs8 -in mycert.pem -topk8 -out mycert.pk8

and was able to generate pem file and pk8 file. So I am assuming I will use them here in the code
------------------------------------------------------
char *keyfile = "C:\\test.pk8";
 
char *keyfile1 = "C:\\test1.pem";
-----------------------------------------------

Can you tell me what should be in "C:\\service.pem" as referenced in the code under soap_ssl_client_context?
0
 

Author Comment

by:rbhargaw
ID: 24863366
Will "C:\\service.pem" be the ".cer" file provided by vendor  as I can convert ".cer" to ".pem"?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24863622
yes. should be the certificate for the server, or the root of its certificate chain, for verification purposes.
0
 

Author Comment

by:rbhargaw
ID: 24864022
Thanks a lot Dave!
0
 

Author Closing Comment

by:rbhargaw
ID: 31603256
Thanks!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
The viewer will learn how to dynamically set the form action using jQuery.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question