Discussion:
Problem with WinINET and SSL
(too old to reply)
PLS
2007-09-24 20:03:13 UTC
Permalink
I'm trying to use WinInet to make a post query over SSL with a client
certificate that has a private key to rertrieve data. In other words, I
need two-way authentication.
My code works for none SSL connections.

To use SSL, I have added INTERNET_FLAG_SECURE to the HttpOpenRequest
call and added code to retrieve the client certificate and add it to the
request with this code:
int res = InternetSetOption
(
_hRequest,
INTERNET_OPTION_CLIENT_CERT_CONTEXT,
(void *) pContext,
sizeof(CERT_CONTEXT)
);

CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
// Yes, res is checked and is good

When I attempt the query, HttpSendRequest fails with error code 12157
and the system event log contains this message:

The SSL client credential's certificate does not have a private key
information property attached to it. This most often occurs when a
certificate is backed up incorrectly and then later restored. This
message can also indicate a certificate enrollment failure.

Do I need to do something separate from adding the certificate to add
the private key? What else might be happening here?

Any suggestions greatfully appreciated.

Thanks,
++PLS
Vadym Stetsiak
2007-10-03 10:28:29 UTC
Permalink
Hello, PLS!

Is server certificate from a trusted Certificate Authority? That is client
must trust server certificate and vice versa (client cert must be trusted on
the server side).

--
With best regards, Vadym Stetsiak.
Blog: http://vadmyst.blogspot.com

You wrote on Mon, 24 Sep 2007 13:03:13 -0700:

P> I'm trying to use WinInet to make a post query over SSL with a client
P> certificate that has a private key to rertrieve data. In other words,
P> I need two-way authentication.
P> My code works for none SSL connections.

P> To use SSL, I have added INTERNET_FLAG_SECURE to the HttpOpenRequest
P> call and added code to retrieve the client certificate and add it to
P> the request with this code:
P> int res = InternetSetOption
P> (
P> _hRequest,
P> INTERNET_OPTION_CLIENT_CERT_CONTEXT,
P> (void *) pContext,
P> sizeof(CERT_CONTEXT)
P> );

P> CertFreeCertificateContext(pContext);
P> CertCloseStore(hStore, 0);
P> // Yes, res is checked and is good

P> When I attempt the query, HttpSendRequest fails with error code 12157
P> and the system event log contains this message:

P> The SSL client credential's certificate does not have a private
P> key information property attached to it. This most often occurs
P> when a certificate is backed up incorrectly and then later
P> restored. This message can also indicate a certificate enrollment
P> failure.

P> Do I need to do something separate from adding the certificate to add
P> the private key? What else might be happening here?

P> Any suggestions greatfully appreciated.

P> Thanks, ++PLS
PLS
2007-10-03 19:47:39 UTC
Permalink
The server and client certificates are issued by the same authority.
There is a certificate for the authority in the Trusted Root
Certificates store. And when I view the certificate in the Personal
store it will show me the certification path via 3 intermediaries back
to that root certificate.

I'd expect a different error if the certificate were not signed, I
think. I'd expect a rejection back from the other side.

++PLS



In article <***@TK2MSFTNGP02.phx.gbl>, ***@gmail.com
says...
Post by Vadym Stetsiak
Hello, PLS!
Is server certificate from a trusted Certificate Authority? That is client
must trust server certificate and vice versa (client cert must be trusted on
the server side).
--
With best regards, Vadym Stetsiak.
Blog: http://vadmyst.blogspot.com
P> I'm trying to use WinInet to make a post query over SSL with a client
P> certificate that has a private key to rertrieve data. In other words,
P> I need two-way authentication.
P> My code works for none SSL connections.
P> To use SSL, I have added INTERNET_FLAG_SECURE to the HttpOpenRequest
P> call and added code to retrieve the client certificate and add it to
P> int res = InternetSetOption
P> (
P> _hRequest,
P> INTERNET_OPTION_CLIENT_CERT_CONTEXT,
P> (void *) pContext,
P> sizeof(CERT_CONTEXT)
P> );
P> CertFreeCertificateContext(pContext);
P> CertCloseStore(hStore, 0);
P> // Yes, res is checked and is good
P> When I attempt the query, HttpSendRequest fails with error code 12157
P> The SSL client credential's certificate does not have a private
P> key information property attached to it. This most often occurs
P> when a certificate is backed up incorrectly and then later
P> restored. This message can also indicate a certificate enrollment
P> failure.
P> Do I need to do something separate from adding the certificate to add
P> the private key? What else might be happening here?
P> Any suggestions greatfully appreciated.
P> Thanks, ++PLS
Vadym Stetsiak
2007-10-04 08:59:27 UTC
Permalink
Hello, PLS!

Did you try calling cert context cleanup
(CertFreeCertificateContext(pContext); ) after you do the request?

You wrote on Wed, 3 Oct 2007 12:47:39 -0700:

P> The server and client certificates are issued by the same authority.
P> There is a certificate for the authority in the Trusted Root
P> Certificates store. And when I view the certificate in the Personal
P> store it will show me the certification path via 3 intermediaries
P> back to that root certificate.
P> I'd expect a different error if the certificate were not signed, I
P> think. I'd expect a rejection back from the other side.

P> ++PLS



P> In article <***@TK2MSFTNGP02.phx.gbl>, ***@gmail.com
P> says...
Post by Vadym Stetsiak
Hello, PLS!
Is server certificate from a trusted Certificate Authority? That is
client must trust server certificate and vice versa (client cert
must be trusted on the server side).
--
With best regards, Vadym Stetsiak.
Blog: http://vadmyst.blogspot.com
P>>> I'm trying to use WinInet to make a post query over SSL with a
P>>> client certificate that has a private key to rertrieve data. In
P>>> other words,
P>>> I need two-way authentication.
P>>> My code works for none SSL connections.

P>>> To use SSL, I have added INTERNET_FLAG_SECURE to the
P>>> HttpOpenRequest call and added code to retrieve the client
P>>> certificate and add it to the request with this code:
P>>> int res = InternetSetOption (
P>>> _hRequest,
P>>> INTERNET_OPTION_CLIENT_CERT_CONTEXT, (void *) pContext,
P>>> sizeof(CERT_CONTEXT)
P>>> );

P>>> CertFreeCertificateContext(pContext);
P>>> CertCloseStore(hStore, 0);
P>>> // Yes, res is checked and is good

P>>> When I attempt the query, HttpSendRequest fails with error code
P>>> 12157 and the system event log contains this message:

P>>> The SSL client credential's certificate does not have a private
P>>> key information property attached to it. This most often occurs
P>>> when a certificate is backed up incorrectly and then later
P>>> restored. This message can also indicate a certificate
P>>> enrollment failure.

P>>> Do I need to do something separate from adding the certificate to
P>>> add the private key? What else might be happening here?

P>>> Any suggestions greatfully appreciated.

P>>> Thanks, ++PLS



--
With best regards, Vadym Stetsiak.
Blog: http://vadmyst.blogspot.com
PLS
2007-10-08 23:17:59 UTC
Permalink
I do that. But what I do after the request fails won't help the request
succeed.

++PLS

In article <***@TK2MSFTNGP04.phx.gbl>, ***@gmail.com
says...
Post by Vadym Stetsiak
Hello, PLS!
Did you try calling cert context cleanup
(CertFreeCertificateContext(pContext); ) after you do the request?
P> The server and client certificates are issued by the same authority.
P> There is a certificate for the authority in the Trusted Root
P> Certificates store. And when I view the certificate in the Personal
P> store it will show me the certification path via 3 intermediaries
P> back to that root certificate.
P> I'd expect a different error if the certificate were not signed, I
P> think. I'd expect a rejection back from the other side.
P> ++PLS
P> says...
Post by Vadym Stetsiak
Hello, PLS!
Is server certificate from a trusted Certificate Authority? That is
client must trust server certificate and vice versa (client cert
must be trusted on the server side).
--
With best regards, Vadym Stetsiak.
Blog: http://vadmyst.blogspot.com
P>>> I'm trying to use WinInet to make a post query over SSL with a
P>>> client certificate that has a private key to rertrieve data. In
P>>> other words,
P>>> I need two-way authentication.
P>>> My code works for none SSL connections.
P>>> To use SSL, I have added INTERNET_FLAG_SECURE to the
P>>> HttpOpenRequest call and added code to retrieve the client
P>>> int res = InternetSetOption (
P>>> _hRequest,
P>>> INTERNET_OPTION_CLIENT_CERT_CONTEXT, (void *) pContext,
P>>> sizeof(CERT_CONTEXT)
P>>> );
P>>> CertFreeCertificateContext(pContext);
P>>> CertCloseStore(hStore, 0);
Loading...