3

I have a client who has a requirement to validate users logging into my web application against his active directory using LDAP. In trying to connect using the DirectoryEntry and DirectorySearcher .NET classes, I can connect to his AD Server but not access it.

The client's AD server has an SSL Certificate for which he has given me a public key file but I don't know how to use this public key file in my C# code.

When I issue the connect command through code, I see, via Wireshark, my application sending the connection request. I then see the server responding with "Server Hello, Certificate, Certificate Request, Server Hello Done". Then my application never responds after that.

In using another application, written by somebody else for which I do not have code, I see the same request from the server and then see the application respond with "Certificate, Client Key Exchange" and then the application connects and runs.

With that said, my question then becomes, how can I get my C# application to load and send the key file I got from the client?

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Chris Meadows
  • 118
  • 1
  • 1
  • 7
  • I have edited your title. Please see, "[Should questions include “tags” in their titles?](http://meta.stackexchange.com/questions/19190/)", where the consensus is "no, they should not". – John Saunders Oct 10 '12 at 20:25
  • Does this work for you ?http://stackoverflow.com/questions/10850860/how-do-i-validate-active-directory-creds-over-ldap-ssl – Amitd Oct 10 '12 at 20:27
  • Thank you John for correcting that issue. I'll know next time. – Chris Meadows Oct 11 '12 at 11:20
  • Amitd, I tried the approach in the suggested article and I still get blocked when the server requests my certificate. I was sent a .KEY file that contains, what I was told, a public key. The file starts with the BEGIN RSA PRIVATE KEY and ends wth END RSA PRIVATE KEY tags but I cannot do anything with it. I tried to import it and Windows 7 does not recognize the file. – Chris Meadows Oct 11 '12 at 11:22
  • Not sure why my question is considered off-topic. I think the proverbial gun was jumped. Anyway, I wish I could give Amitd credit for his answer because it was the correct one. However, I had to add one additional line to enable my code to talk with the server via the SSL Certificate. I would post the full answer but the topic is closed. – Chris Meadows Oct 17 '12 at 15:12

2 Answers2

1

The keyfile needs to be installed into the users machine / user account.

Take a look at the following to understand how to install the digital certificate...

See step 3...

http://msdn.microsoft.com/en-us/library/ff649247.aspx

Step 3. Request and Install a Client Certificate

This procedure installs a client-side certificate. You can use a certificate from any certificate authority, or you can generate your own certificate using Microsoft Certificate Services as described in the following sections.

This procedure assumes that Microsoft Certificate Services is configured for pending requests, which require an administrator to explicitly issue the certificate. It can also be configured to automatically issue certificates in response to certificate requests.

To check the certificate request status setting

On the Microsoft Certificate Services computer, select Certification Authority from the Administrative Tools programs group. Expand Certification Authority (Local), right-click the certification authority and click Properties. Click the Policy Module tab, and then click Configure. Check the default action. The following procedure assumes that Set the certificate request status to pending. Administrator must explicitly issue the certificate is selected.

To request a client-side certificate

Start Internet Explorer and navigate to http:// hostname/certsrv, where hostname is the name of the computer on which Microsoft Certificate Services is installed. Click Request a certificate, and then click Next. On the Choose Request Type page, click User Certificate, and then click Next. Click Submit to complete the request. Close Internet Explorer. To issue the client-side certificate

From the Administrative Tools program group, start the Certification Authority tool. Expand your certificate authority, and then select the Pending Requests folder. Select the certificate request you just submitted, point to All Tasks on the Action menu, and then click Issue. Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it. On the Details tab, click Copy to File to save the certificate as a Base-64 encoded X.509 certificate. Close the properties window for the certificate. Close the Certification Authority tool. To install the client-side certificate

To view the certificate, start Windows Explorer, navigate to the .cer file saved in the previous procedure, and then double-click it. Click Install Certificate, and then click Next on the first page of the Certificate Import Wizard. Select Automatically select the certificate store based on the type of certificate, and then click Next. Click Finish to complete the wizard. Dismiss the confirmation message box, and then click OK to close the certificate. Step 4. Verify Client Certificate Operation

This procedure verifies that you can access the SecureApp application using a client certificate.

To verify client certificate operation

Start Internet Explorer and navigate to http s://localhost/secureapp/webform1.aspx. Confirm that the Web page displays successfully.

  • Thank you Matthew for responding and for the suggestion. Unfortunately none of the options in step 3 above (and in the article) work for me. I noticed the article is retired so I wonder if it applies to version of windows earlier than what I am running, which currently is Windows 7. I'm really new to the key thing, as is the client, so I'm stumbling along here. When it comes down to it, I have a .KEY file that starts 'BEGIN RSA PRIVATE KEY' and ends 'END RSA PRIVATE KEY' with a bunch of encrypted characters in between. I need to load that file as a certificate but Windows 7 will not do it – Chris Meadows Oct 11 '12 at 11:28
  • I'm starting to believe the client sent me the wrong file. Should he have sent me a .PFX file I can import? – Chris Meadows Oct 11 '12 at 11:36
  • Hi, that actually helped me... take a look at this information, http://stackoverflow.com/questions/9678202/why-different-private-key-strings-under-linux-or-windows it seams that your client is using openSSL. The following page will help you understand more about OpenSSL, I have not got a lot of experience with it unfortunately.. http://www.madboa.com/geek/openssl/ but I think you need to do the what I posted in the other answer. I left the origional as it is valid for standard cert files not open SSL, and the other answer should allow people to use openSSL. let me know how it goes. –  Oct 11 '12 at 11:54
0

How do I export or import a PKCS#12 certificate?

PKCS#12 files can be imported and exported by a number of applications, including Microsoft IIS. They are often associated with the file extension .pfx.

To create a PKCS#12 certificate, you’ll need a private key and a certificate. During the conversion process, you’ll be given an opportunity to put an “Export Password” (which can be empty, if you choose) on the certificate.

create a file containing key and self-signed certificate

openssl req \ -x509 -nodes -days 365 \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

export mycert.pem as PKCS#12 file, mycert.pfx

openssl pkcs12 -export \ -out mycert.pfx -in mycert.pem \ -name "My Certificate" If someone sends you a PKCS#12 and any passwords needed to work with it, you can export it into standard PEM format.

export certificate and passphrase-less key

openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes

same as above, but you’ll be prompted for a passphrase for

the private key

openssl pkcs12 -in mycert.pfx -out mycert.pem

  • 1
    Thank you for the information. Actually, as it turned out I didn't need the client key file or a client certificate. But I do appreciate your research and know it will help with future development both for me and for those who ready this post. – Chris Meadows Oct 17 '12 at 15:04
  • It might be worth just detailing a little more about your findings for anyone else who reads this in the future. Or was it simply that you didn't need to use certs at all? –  Oct 17 '12 at 15:35
  • Yes indeed. I actually didn't need to use certs at all from my end. The certificate is installed on the server but I did not need a matching certificate on the client. – Chris Meadows Oct 18 '12 at 11:47