Author Topic: 2 way certificate authentication (Read 3971 times)

joep · « **on:** December 10, 2024, 06:05:59 AM »

Hi,
I have a webservice which I'm going to use as an API server.
Normaly I create a self signed certificate with openssl and give the other party my public key.

ThisWebserver.SSL = 1 ! Use SSL to make a Secure Web Server
ThisWebserver.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 1
ThisWebserver.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 1
ThisWebserver.SSLCertificateOptions.CertificateFile = 'c:\webservice\certificates\deo.aag.nl.crt'
ThisWebserver.SSLCertificateOptions.PrivateKeyFile = 'c:\webservice\certificates\deo.aag.nl.key'
ThisWebserver.SSLCertificateOptions.ServerName = 'deo.aag.nl'

The other party asked me for the CSR file and signed this file to Afile.p7b
But I don't know how and where I should install or embed it.
Any Ideas?
Regards Joep

Bruce · « **Reply #1 on:** December 10, 2024, 06:27:03 AM »

Hi Joep,

I think we need more detail here.
You're making an API server? based on the NetWebServer stuff?

Which build of NetTalk are you using?

>> Normally I create a self signed certificate with openssl and give the other party my public key.

I'm not sure what you mean by "give the other party my public key". That's not normally something that needs to be done...

>> The other party asked me for the CSR file

why? (I feel like there are details in here you've not made clear yet...)
Who is the "other party"? The client program?
What do they need your CSR for?

>> and signed this file to Afile.p7b But I don't know how and where I should install or embed it.

Me neither. I have literally no idea what you're doing here.... Building a Web API server requires, well, none of this stuff...

Cheers
Bruce

joep · « **Reply #2 on:** December 10, 2024, 06:42:01 AM »

Hi Bruce

My Nettalk version = 11.45
And when I say Public key I mean my Cert file.
So I have a webservice which has to communicate with an Api Gateway.
The administrator of the gateway asked me for the Csr file.
He said he would sign it and sended me this p7b ,based on the csr, file back for my use.
Hope this helps

Regards Joep

Bruce · « **Reply #3 on:** December 11, 2024, 04:05:55 AM »

Hi Joep,

>> My Nettalk version = 11.45

ok, that's pretty old, but I'll try and answer usefully

>> And when I say Public key I mean my Cert file.

ok, so you're a server right?
By "cert" file you mean a CRT file?
I'm not sure what you mean by "giving that to them"...
That's not a thing - as in I've never needed to give a CRT file to anyone..
(which probably explains why I'm completely lost here...)

>> So I have a webservice which has to communicate with an Api Gateway.

What's an API gateway? And you'd communicate with that to do what? Are you making API requests of your own? To some other server?

>> The administrator of the gateway asked me for the Csr file.
>> He said he would sign it and sended me this p7b ,based on the csr, file back for my use.

Ok, so I guess you need to be a lot more explicit as to what an API Gateway is, what it's doing, what it needs and so on.
I can't really give you advice because I guess I'm not sure what an API gateway is, why you need to communicate with it, or what it needs...

You may need to fill in a lot more detail mate - sorry.

Cheers
Bruce

joep · « **Reply #4 on:** December 11, 2024, 06:11:50 AM »

Hi Bruce

My webservice is installed on a server of us.
The Api Gateway is in fact also a webservice at the client.
What we try to do is get json files from and send json files to this client.
I always believed that my key encrypts the message and the crt can decrypt this message at the client.
At least this is how I did my previous webservices.
Today I contacted my client and he said I had to convert the p7b file to pfx.
And somewhere in or at the TLS protocol I could reference this file. And here I am lost !!

Regards Joep

Jane · « **Reply #5 on:** December 11, 2024, 01:31:46 PM »

Questions on terminology...

Are YOU accessing HIS API as a client? And he wants you to use a certificate to authenticate yourself (rather than something like name and password)?

If that's what is meant by "2 way certificate authentication" then I think you need to figure out to use a client certificate (signed by him) to authenticate yourself to his API. Remember that certificates have two basic (and partially independent) functions - encryption and authentication. Maybe use Postman to do some tests for accessing his API. And when you get that working, do the same with the NetDemo app.

Bruce · « **Reply #6 on:** December 11, 2024, 08:09:19 PM »

Hi Joep,

as long as you are accessing the client over HTTPS - whether you are the server or the client - you don't need to manually worry about the encryption - that is done for you by the TLS layer.

Also you don't need to move certificates between you, or him, or whatever. That is handled for you by the TLS layer.
When you browse the web, and you go to say Amazon.com, you don't need to do anything - it's all done for you.
You set up the certifiacte on the server, and that's all you need.

With that in mind, I turn to the title of this thread though...

>> Re: 2 way certificate authentication

What do you mean by this, and why did you pick this phrase?

>> The Api Gateway is in fact also a webservice at the client.

so, to be clear, you are making a *client* request to his server? You will use the NetWebClient class?
And (as Jane suggests) the server you are talking to requires you as the client to pass it a client-side certificate?

Are we getting closer to understanding?

Cheers
Bruce

joep · « **Reply #7 on:** December 12, 2024, 07:44:58 AM »

Hi Jane and Bruce,

<< If that's what is meant by "2 way certificate authentication" then I think you need to figure out to use a client certificate (signed by him) to authenticate yourself to his API.

This is indeed the situation

like I said my webservice is secure (key and crt in place and the crt is referenced in the software of the external webservice, done by "him")
I tested this with postman locally

Now I have to look for a way to get the "signed csr which I got from the external party) in my webservice. The other way.
Where the external party says I have to convert it to pfx first with openssl.

Like Jane puts it I have to dig in deeper or even take several test with postman.

Regards Joep

Bruce · « **Reply #8 on:** December 13, 2024, 07:15:48 PM »

Hi Joep,

I think you need to define what you mean by "webservice".

Are you a SERVER? or a CLIENT?
Or both? (ie you are a server, but now your server is needing to be a client to another API as well?)

Cheers
Bruce

joep · « **Reply #9 on:** December 18, 2024, 05:53:29 AM »

Hi Bruce,

Sorry for the late reaction. There is still some confusion at the customer.
But to answer your questions.
I am server and client.
See the attachments how it looks.
So i get an notification from the customer (Api service) saying there is a new object available.
This works with certificates ( no problem)
The notification is a json with the unique number.
From there I have to send From ower Server a new json message asking for the object with the previous number from the notification.
Hope this helps to clear things.
What I also wanted to ask is how I can do the get from a netwebservice method?
Cheers
Joep

Jane · « **Reply #10 on:** December 19, 2024, 10:15:45 AM »

Quote

What I also wanted to ask is how I can do the get from a netwebservice method?

I have used client certificates to authenticate to servers, but not from NetTalk. On this page there is some info on client-side certificates: https://www.capesoft.com/docs/NetTalk12/NetTalkWebClient.Htm Bruce may have further advice.

I have, however, built a web server that is at the same time both an API server and an API client, which is what you're apparently doing.

The API client part is built like any of the API client examples that ship with NetTalk. (Such as 77).
Because an API request is asynchronous, you need a window running on a separate thread with a webclient object. It authenticates to the server you're querying and fetches the data from that other server's API. The window is obviously never visible to anyone; it's just used for the asynchronous process. Once you've sorted the certificate authentication the rest will be quite straightforward.

Bruce · « **Reply #11 on:** December 20, 2024, 06:28:27 PM »

>> What I also wanted to ask is how I can do the get from a netwebservice method?

you make an automatic Window procedure, and call it from your NetWebServiceMethod server code at the appropriate time.
See the NetTalk WebServer Email example that follows the same pattern - albeit with a NetEmail object, whereas you will use a NetWebClient object.

The NetWebClient method can use a private key, if that's a thing the other server requires of you.

Cheers
Bruce

joep · « **Reply #12 on:** December 21, 2024, 02:13:44 AM »

Hi Bruce and Jane
This is indeed how I have to go on.
With the automatic Window procedure and the call from the NetWebServiceMethod server code I can do the second call.
And with a new key and crt file in place this one is secure too. (I will make the crt and key file with openssl from the pfx I got from the consumer)
Thanks both for your understanding and suggestions.
I wil let you know when or if this works.
Thanks Joep