3

I'm trying to make a web request to a site I wrote which requires the client to provide certificates to authenticate.

Specifically, I'm trying to write a C# (or Visual C++) application that can make a web request, but use the certificate and private key on my HSM.

I realize there's one similar question here, but it hasn't received the answer I need.

I can already:

  • P/Invoke my native pkcs#11 library (a DLL), login, find/create objects on the HSM
  • Using the pkcs#11 interface I can read find the X509 certificate on the HSM

I cannot:

  • Export the Private Key from the HSM. It is not exportable.

So what I need is a way to make a Web Request from my application and say, "For the handshake, use the X509 and Private Key objects on my HSM."

Please don't suggest that I "check out" things like NCryptoki, Bouncy Castle, etc- I can already use them to make my Windows app. communicate with the HSM. What I need is how I can I make the Windows app. make a web request under the context of the credentials on the HSM.

Chait
  • 1,052
  • 2
  • 18
  • 30
Marc Aguilar
  • 31
  • 3

1 Answers1

1

When you get a certificate through the pkcs#11 native calls you have no private key attached. The private key does the decrypting so we need it.To get around this you have two options:

  1. Almost all devices register a Cryptographic Service Provider during installation. You can wrap, for example, a RSACryptoServiceProvider over that provider and assign it to the PrivateKey property of your certificate.

  2. Some device drivers sync the certificates from your HSM with the Personal Certificate Store. If you select the certificate from the Windows store it will automatically have a Cryptographic Service Provider attached. So the missing private key issue is gone. All you need to do is add the certificate to the ClientCertificates collection.

You can imagine I would recommend the second option if available.

Vlad Mucescu
  • 111
  • 3