Using the .NET WebBrowser Control to display HTML content that requires an X509 Certificate

Question

We are trying to display HTML content, which requires an X509 Certificate, within a WPF Application that uses the System.Windows.Controls.WebBrowser.

Here is a simple example of the XAML.

<WebBrowser Source="https://server.com/Welcome.html" />

In the situation where there are two or more X509 certificates with KeyUsages == X509KeyUsageFlags.DigitalSignature the Browser Control prompts the user to select which certificate should be used. We would like to prevent this dialog from being displayed.

Through code we can tell which certificate should be used but we do not see way to send this information to the browser control. At first we were expecting that the WebBrowser would have a ClientCertificate or ClientCertificates property, like HttpWebRequest does, that we could use to set the Certificate but there does not seem to be any such property.

We realize that the WebBrowser control is really a Win32 control with a WPF wrapper so maybe there is an older Win32 API call that can be used to set the Certificate?

Other suggestions were to use a 3rd party library with a different web browser control. Before we try that approach we wanted to make sure there was no way to use the c# web browser control.

Answer 1

The webbrowser control calls the host's IHttpSecurity::OnSecurityProblem implementation to notify about ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED errors, however you have two obstacles here:

1. WPF does not really expose any extension point to let you add any webbrowser host interface to the ActiveX host. This can be circumvented by switching to the Windows Forms webbrowser control, or host the ActiveX directly and add your own IHttpSecurity implementation.

2. To select a certificate the WinInet way, you need to call InternetErrorDlg with the right HINTERNET handle. However the webbrowser control does not really expose any API to give you that WinInet handle.

I suggest you to find or write a programmable proxy to do this authentication at the proxy side, then use UrlMkSetSessionOption to use the proxy in your process. I am not sure FiddlerCore fits the bill, but you can give it a try.