Soap and ssl what certificates to use

[joep]

 Hi All I want to consume a webservice which will be used in an intranet environment. Consuming this webservice already works, but i have to go secure with ssl. Can someone tell me what certificates I need for this to work. Problem I have at the time is that I can't test it because the customer is to far away. And I want to be sure everything is in place before I do so. Do I need a root certificate and a key? Or can I just make one certificate, use it in my application and publish the certificate to the other party. Does someone know a free webservice based on ssl just to make sure the ssl part will work. Regards Joep Clarion 6.3

[Bruce]

Hi Joep,

are you just doing the client or the server as well.

If just the client, then you don't need a certificate. Everything you need, you already have. There are a bunch of SSL settings - and a ca_root.pem file, but those are all easy to do - you can try out the NetDemo example if you like - just point it at any SSL site (any https: address) to get the hang of it.

If you are making the server, then you will need to do more effort there - basically then yes, you will need a certificate and so on.

Cheers
Bruce

[joep]

Hi Bruce,

Sorry that it toke so long for me to answer.
I had to wait on the customer for an answer on the communication between webserver and client.
Customer says it has to be a 2-way ssl connection.
In his explanation he says that there has to be a server certificate and a client certificate.
Both party's get the public part of the certificate of the other party.(mutual authentication)
Besides that the message has to be encrypted by the client certificate.
The Web server can decrypt the message with the public part of the client certificate.
I know i have some ssl options in Nettalk, but I'm not sure which part takes care of the encryption:
- the SSLCertificateOptions.CertificateFile
- or the SSLCertificateOptions.CaRootFile
Or maybe I have to use  both?
Hope you can help me with this?

Regards
Joep

-

[Bruce]

Hi Joep,

yes, you can have a certificate on the client side as well. This is not common, but is done in some cases. We've done it for example with our internal credit card processing engine - the bank issued us with a certificate which we have to use when connecting to them.

There is an example of this
C:\Clarion8NT6\Examples\NetTalk\WebClient\LinkPoint (Requires xFiles)
however this is a "non working" example - since for obvious reasons we don't actually ship it with a certificate.

In essence though there's not much for you to do. Just put the certificate somewhere on your side and set the web client properties appropriately. Checking the source of that example should give you the right idea.

Cheers
Bruce

[joep]

Hi Bruce,

I have looked at your example.
Created an certificate like the windows way with certmanager.
So I got a private part of the certificate in the store and a public part which I gave to the webservice side.
I installed the certificate I got fom the webservice and on the webservice side my client certificate is installed. Both trusted in the certificate store.
And when If browse the url everything is fine.
But when I use my application with the public certificate as option I get a "the open command timed out".
I also tried using the CARoot.pem in which I copied the the base 64 export of the certificate, but then I get a non trusted message of the client certificate back from the webservice.
I'am a bit confused.
What should I use to encrypt the xml which I send?

These are the settings now:

         IF Glo:BagCertificaat Then net.SSLCertificateOptions.CertificateFile = Glo:BagCertificaat.
!        net.SSLCertificateOptions.PrivateKeyFile = Glo:BagPrivateKey
         net.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 1
         net.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 1
         IF Glo:BagCaRoot Then net.SSLCertificateOptions.CARootFile = Glo:BagCaRoot.

Regards Joep