Discussion:
Sending POST over HTTPS using a Client Certificate with WinHttpRequest.5.1
(too old to reply)
Greg
2004-01-14 17:53:45 UTC
Permalink
Hi all,

The following snippet always return "A certificate is required to complete
client authentication" (.asp under IIS 5) :

Set WinHttp = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
WinHttp.Open "POST" ,"https://foo/bar.cgi", False
WinHttp.SetClientCertificate("Gregoire")
WinHttp.Send ("Some DATA to send")

The same request (https://foo/bar.cgi) under IE5 from the same machine :
- Prompts for selecting a certificate, I choose "Gregoire", which is the
only item in the list
- Says the originator of the certificate is not trusted, I confirm with
the OK button
- Displays the bar.cgi result correctly.

Any idea of how to send a given client certificate when posting with
WinHttpRequest.5.1 under asp/IIS5 ?

Thanks in advance,

Grégoire
Stephen Sulzer
2004-01-14 23:16:12 UTC
Permalink
Hello,

Your client certificate needs to be located in a certificate store that your
ASP application can access. WinHTTP running in an ASP application will not
use the same certificate store that Internet Explorer uses. You need to use
the WinHTTP Certificate Configuration utility to import your client
certificate into the "Local Machine" cert store on your IIS server.

See the WinHTTP Cert Config utility documentation for more information:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

The WinHttpCertCfg.exe utility is part of the Windows Resource Toolkit,
available for free download at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

Once you've imported your client certificate into the Local Machine store,
you will need to change your SetClientCertificate method call to something
like this:

WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")

Finally, the "originator of the certificate is not trusted" problem you
mention with your certificate may cause additional problem (WinHTTP may
reject it), but I cannot be sure.


Regards,
Stephen
Post by Greg
Hi all,
The following snippet always return "A certificate is required to complete
Set WinHttp = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
WinHttp.Open "POST" ,"https://foo/bar.cgi", False
WinHttp.SetClientCertificate("Gregoire")
WinHttp.Send ("Some DATA to send")
- Prompts for selecting a certificate, I choose "Gregoire", which is the
only item in the list
- Says the originator of the certificate is not trusted, I confirm with
the OK button
- Displays the bar.cgi result correctly.
Any idea of how to send a given client certificate when posting with
WinHttpRequest.5.1 under asp/IIS5 ?
Thanks in advance,
Grégoire
Greg
2004-01-15 16:19:59 UTC
Permalink
That's it - Thanks !
I had to :

1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
8667-c748e422833f&displaylang=en

2. Launch mmc.exe

3. Add the Certificate SnapIn For Local Computer (only this one)

4. Add My certificate into the Personal Store

5. Issue the following command under command prompt :
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "MyCertificateSubjectName" -a
IWAM_MachineName

At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).

6. So I had to add the second certificate (the provider's public key) into
the Trusted Root Certification Authorities via the MMC

And now, I have a :
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).

So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.

Greg
Post by Stephen Sulzer
Hello,
Your client certificate needs to be located in a certificate store that your
ASP application can access. WinHTTP running in an ASP application will not
use the same certificate store that Internet Explorer uses. You need to use
the WinHTTP Certificate Configuration utility to import your client
certificate into the "Local Machine" cert store on your IIS server.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/winhttpcertcfg_exe__a_certificate_configuration_tool.asp
Post by Stephen Sulzer
The WinHttpCertCfg.exe utility is part of the Windows Resource Toolkit,
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-
96ee-b18c4790cffd&DisplayLang=en
Post by Stephen Sulzer
Once you've imported your client certificate into the Local Machine store,
you will need to change your SetClientCertificate method call to something
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
Finally, the "originator of the certificate is not trusted" problem you
mention with your certificate may cause additional problem (WinHTTP may
reject it), but I cannot be sure.
Regards,
Stephen
Post by Greg
Hi all,
The following snippet always return "A certificate is required to complete
Set WinHttp = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
WinHttp.Open "POST" ,"https://foo/bar.cgi", False
WinHttp.SetClientCertificate("Gregoire")
WinHttp.Send ("Some DATA to send")
- Prompts for selecting a certificate, I choose "Gregoire", which is
the
Post by Greg
only item in the list
- Says the originator of the certificate is not trusted, I confirm
with
Post by Greg
the OK button
- Displays the bar.cgi result correctly.
Any idea of how to send a given client certificate when posting with
WinHttpRequest.5.1 under asp/IIS5 ?
Thanks in advance,
Grégoire
Stephen Sulzer
2004-01-15 21:34:28 UTC
Permalink
Greg,

The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with the
server's certificate, not with your client certificate. If it is a problem
with the server's certificate, you can instruct WinHTTP to ignore the
problem as a workaround. This is done by setting a 'SSLErrorIgnoreFlags'
option:

Const Option_SSLErrorIgnoreFlags = 4

Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above

WinHttp.Option(Option_SSLErrorIgnoreFlags) = SslErrorFlag_Ignore_All
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
WinHttp.Send

For documentation on the SSLErrorIgnoreFlags option, see the following:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttprequestoption.asp

Hope that helps.

Stephen
Post by Greg
That's it - Thanks !
1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
Post by Greg
8667-c748e422833f&displaylang=en
2. Launch mmc.exe
3. Add the Certificate SnapIn For Local Computer (only this one)
4. Add My certificate into the Personal Store
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "MyCertificateSubjectName" -a
IWAM_MachineName
At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
6. So I had to add the second certificate (the provider's public key) into
the Trusted Root Certification Authorities via the MMC
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.
Greg
Greg
2004-01-16 08:51:24 UTC
Permalink
Thanks Stephen,
I had the Option_SSLErrorIgnoreFlags set to 5 as described in the
WinHttpRequestOption enum at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/winhttprequestoption.asp

But there seems to be an inversion in this enum, as far as
Option_SSLErrorIgnoreFlags should be set to 4 instead !

N.B. : By adding the Option with 100H, I could also got rid of the CA
certificate.


Everything is working fine now !
Thanks again,

Greg
Post by Stephen Sulzer
Greg,
The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with the
server's certificate, not with your client certificate. If it is a problem
with the server's certificate, you can instruct WinHTTP to ignore the
problem as a workaround. This is done by setting a 'SSLErrorIgnoreFlags'
Const Option_SSLErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above
WinHttp.Option(Option_SSLErrorIgnoreFlags) = SslErrorFlag_Ignore_All
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
WinHttp.Send
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/winhttprequestoption.asp
Post by Stephen Sulzer
Hope that helps.
Stephen
Post by Greg
That's it - Thanks !
1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
Post by Stephen Sulzer
Post by Greg
8667-c748e422833f&displaylang=en
2. Launch mmc.exe
3. Add the Certificate SnapIn For Local Computer (only this one)
4. Add My certificate into the Personal Store
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "MyCertificateSubjectName" -a
IWAM_MachineName
At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
6. So I had to add the second certificate (the provider's public key) into
the Trusted Root Certification Authorities via the MMC
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a root
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.
Greg
Frank Schwieterman [MSFT]
2004-01-19 22:42:02 UTC
Permalink
Hi Greg I'm glad you were to get things working. I'd like to followup
though about the issue you saw with the enum being inverted as I don't
understand the problem as stated. It sounds like you think you found a bug
though? Can you expand a bit on the behavior you think was bug, and let me
know what you expected and what you saw?
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Greg
Thanks Stephen,
I had the Option_SSLErrorIgnoreFlags set to 5 as described in the
WinHttpRequestOption enum at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
p/winhttprequestoption.asp
But there seems to be an inversion in this enum, as far as
Option_SSLErrorIgnoreFlags should be set to 4 instead !
N.B. : By adding the Option with 100H, I could also got rid of the CA
certificate.
Everything is working fine now !
Thanks again,
Greg
Post by Stephen Sulzer
Greg,
The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with the
server's certificate, not with your client certificate. If it is a problem
with the server's certificate, you can instruct WinHTTP to ignore the
problem as a workaround. This is done by setting a 'SSLErrorIgnoreFlags'
Const Option_SSLErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above
WinHttp.Option(Option_SSLErrorIgnoreFlags) = SslErrorFlag_Ignore_All
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
WinHttp.Send
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
p/winhttprequestoption.asp
Post by Stephen Sulzer
Hope that helps.
Stephen
Post by Greg
That's it - Thanks !
1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
Post by Greg
Post by Stephen Sulzer
Post by Greg
8667-c748e422833f&displaylang=en
2. Launch mmc.exe
3. Add the Certificate SnapIn For Local Computer (only this one)
4. Add My certificate into the Personal Store
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "MyCertificateSubjectName" -a
IWAM_MachineName
At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
6. So I had to add the second certificate (the provider's public key)
into
Post by Stephen Sulzer
Post by Greg
the Trusted Root Certification Authorities via the MMC
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.
Greg
Greg
2004-01-20 16:25:07 UTC
Permalink
Hi Frank, and thanks for your interest.

Let me be clearer about this issue.
In the following page, you find the WinHttpRequestOption described.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/winhttprequestoption.asp
I'm assuming this Enum being is zero based. This is confirmed by the VB
snippet at the bottom of the following page :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
p/iwinhttprequest_option.asp
which states :
Const WinHttpRequestOption_UserAgentString = 0
Const WinHttpRequestOption_URL = 1
Const WinHttpRequestOption_URLCodePage = 2
Const WinHttpRequestOption_EscapePercentInURL = 3

So, I assume the following is true :
WinHttpRequestOption_EnableCertificateRevocationCheck == 4
WinHttpRequestOption_SslErrorIgnoreFlags == 5

Which is wrong, as far as WinHttpRequestOption_SslErrorIgnoreFlags == 4

;-))

Please let us know !

Thnx !

Greg
Post by Frank Schwieterman [MSFT]
Hi Greg I'm glad you were to get things working. I'd like to followup
though about the issue you saw with the enum being inverted as I don't
understand the problem as stated. It sounds like you think you found a bug
though? Can you expand a bit on the behavior you think was bug, and let me
know what you expected and what you saw?
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Greg
Thanks Stephen,
I had the Option_SSLErrorIgnoreFlags set to 5 as described in the
WinHttpRequestOption enum at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
But there seems to be an inversion in this enum, as far as
Option_SSLErrorIgnoreFlags should be set to 4 instead !
N.B. : By adding the Option with 100H, I could also got rid of the CA
certificate.
Everything is working fine now !
Thanks again,
Greg
Post by Stephen Sulzer
Greg,
The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with the
server's certificate, not with your client certificate. If it is a
problem
Post by Greg
Post by Stephen Sulzer
with the server's certificate, you can instruct WinHTTP to ignore the
problem as a workaround. This is done by setting a
'SSLErrorIgnoreFlags'
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Const Option_SSLErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above
WinHttp.Option(Option_SSLErrorIgnoreFlags) = SslErrorFlag_Ignore_All
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
WinHttp.Send
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
Post by Stephen Sulzer
Hope that helps.
Stephen
Post by Greg
That's it - Thanks !
1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
8667-c748e422833f&displaylang=en
2. Launch mmc.exe
3. Add the Certificate SnapIn For Local Computer (only this one)
4. Add My certificate into the Personal Store
winhttpcertcfg -g -c LOCAL_MACHINE\My -s
"MyCertificateSubjectName" -a
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
IWAM_MachineName
At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
6. So I had to add the second certificate (the provider's public key)
into
Post by Stephen Sulzer
Post by Greg
the Trusted Root Certification Authorities via the MMC
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.
Greg
Stephen Sulzer
2004-01-22 23:50:08 UTC
Permalink
The authoritative source for the values of the WinHttpRequestOption enums is
the httprequest.idl file in the Platform SDK. The ordering of the enums in
the IDL file determines their values. Unfortunately the on-line
documentation lists them in the incorrect order w.r.t. the
EnableCertificateRevocationCheck option.

From the httprequest.idl file :


enum WinHttpRequestOption
{
WinHttpRequestOption_UserAgentString, // 0
WinHttpRequestOption_URL, // 1
WinHttpRequestOption_URLCodePage, // 2
WinHttpRequestOption_EscapePercentInURL, // 3
WinHttpRequestOption_SslErrorIgnoreFlags, // 4
WinHttpRequestOption_SelectCertificate, // 5
WinHttpRequestOption_EnableRedirects, // 6
WinHttpRequestOption_UrlEscapeDisable, // 7
WinHttpRequestOption_UrlEscapeDisableQuery, // 8
WinHttpRequestOption_SecureProtocols, // 9
WinHttpRequestOption_EnableTracing, // 10
WinHttpRequestOption_RevertImpersonationOverSsl, // 11
WinHttpRequestOption_EnableHttpsToHttpRedirects, // 12
WinHttpRequestOption_EnablePassportAuthentication,// 13
WinHttpRequestOption_MaxAutomaticRedirects, // 14
WinHttpRequestOption_MaxResponseHeaderSize, // 15
WinHttpRequestOption_MaxResponseDrainSize, // 16
WinHttpRequestOption_EnableHttp1_1, // 17
WinHttpRequestOption_EnableCertificateRevocationCheck // 18
} WinHttpRequestOption;




Stephen
Post by Greg
Hi Frank, and thanks for your interest.
Let me be clearer about this issue.
In the following page, you find the WinHttpRequestOption described.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
p/winhttprequestoption.asp
I'm assuming this Enum being is zero based. This is confirmed by the VB
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
p/iwinhttprequest_option.asp
Const WinHttpRequestOption_UserAgentString = 0
Const WinHttpRequestOption_URL = 1
Const WinHttpRequestOption_URLCodePage = 2
Const WinHttpRequestOption_EscapePercentInURL = 3
WinHttpRequestOption_EnableCertificateRevocationCheck == 4
WinHttpRequestOption_SslErrorIgnoreFlags == 5
Which is wrong, as far as WinHttpRequestOption_SslErrorIgnoreFlags == 4
;-))
Please let us know !
Thnx !
Greg
Post by Frank Schwieterman [MSFT]
Hi Greg I'm glad you were to get things working. I'd like to followup
though about the issue you saw with the enum being inverted as I don't
understand the problem as stated. It sounds like you think you found a
bug
Post by Frank Schwieterman [MSFT]
though? Can you expand a bit on the behavior you think was bug, and let
me
Post by Frank Schwieterman [MSFT]
know what you expected and what you saw?
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Frank Schwieterman [MSFT]
Post by Greg
Thanks Stephen,
I had the Option_SSLErrorIgnoreFlags set to 5 as described in the
WinHttpRequestOption enum at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
But there seems to be an inversion in this enum, as far as
Option_SSLErrorIgnoreFlags should be set to 4 instead !
N.B. : By adding the Option with 100H, I could also got rid of the CA
certificate.
Everything is working fine now !
Thanks again,
Greg
Post by Stephen Sulzer
Greg,
The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with the
server's certificate, not with your client certificate. If it is a
problem
Post by Greg
Post by Stephen Sulzer
with the server's certificate, you can instruct WinHTTP to ignore the
problem as a workaround. This is done by setting a
'SSLErrorIgnoreFlags'
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Const Option_SSLErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above
WinHttp.Option(Option_SSLErrorIgnoreFlags) = SslErrorFlag_Ignore_All
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
WinHttp.Send
For documentation on the SSLErrorIgnoreFlags option, see the
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
Post by Stephen Sulzer
Hope that helps.
Stephen
Post by Greg
That's it - Thanks !
1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
8667-c748e422833f&displaylang=en
2. Launch mmc.exe
3. Add the Certificate SnapIn For Local Computer (only this one)
4. Add My certificate into the Personal Store
winhttpcertcfg -g -c LOCAL_MACHINE\My -s
"MyCertificateSubjectName" -a
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
IWAM_MachineName
At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
6. So I had to add the second certificate (the provider's public
key)
Post by Frank Schwieterman [MSFT]
Post by Greg
into
Post by Stephen Sulzer
Post by Greg
the Trusted Root Certification Authorities via the MMC
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.
Greg
Frank Schwieterman [MSFT]
2004-01-30 18:42:52 UTC
Permalink
Greg it looks like Stephen identified the issue and I'm going to get a doc
bug open on that. But if it was something else, do let me know.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Greg
Hi Frank, and thanks for your interest.
Let me be clearer about this issue.
In the following page, you find the WinHttpRequestOption described.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
p/winhttprequestoption.asp
I'm assuming this Enum being is zero based. This is confirmed by the VB
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
p/iwinhttprequest_option.asp
Const WinHttpRequestOption_UserAgentString = 0
Const WinHttpRequestOption_URL = 1
Const WinHttpRequestOption_URLCodePage = 2
Const WinHttpRequestOption_EscapePercentInURL = 3
WinHttpRequestOption_EnableCertificateRevocationCheck == 4
WinHttpRequestOption_SslErrorIgnoreFlags == 5
Which is wrong, as far as WinHttpRequestOption_SslErrorIgnoreFlags == 4
;-))
Please let us know !
Thnx !
Greg
Post by Frank Schwieterman [MSFT]
Hi Greg I'm glad you were to get things working. I'd like to followup
though about the issue you saw with the enum being inverted as I don't
understand the problem as stated. It sounds like you think you found a
bug
Post by Frank Schwieterman [MSFT]
though? Can you expand a bit on the behavior you think was bug, and let
me
Post by Frank Schwieterman [MSFT]
know what you expected and what you saw?
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Frank Schwieterman [MSFT]
Post by Greg
Thanks Stephen,
I had the Option_SSLErrorIgnoreFlags set to 5 as described in the
WinHttpRequestOption enum at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
But there seems to be an inversion in this enum, as far as
Option_SSLErrorIgnoreFlags should be set to 4 instead !
N.B. : By adding the Option with 100H, I could also got rid of the CA
certificate.
Everything is working fine now !
Thanks again,
Greg
Post by Stephen Sulzer
Greg,
The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with the
server's certificate, not with your client certificate. If it is a
problem
Post by Greg
Post by Stephen Sulzer
with the server's certificate, you can instruct WinHTTP to ignore the
problem as a workaround. This is done by setting a
'SSLErrorIgnoreFlags'
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Const Option_SSLErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above
WinHttp.Option(Option_SSLErrorIgnoreFlags) = SslErrorFlag_Ignore_All
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
WinHttp.Send
For documentation on the SSLErrorIgnoreFlags option, see the
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
Post by Stephen Sulzer
Hope that helps.
Stephen
Post by Greg
That's it - Thanks !
1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
8667-c748e422833f&displaylang=en
2. Launch mmc.exe
3. Add the Certificate SnapIn For Local Computer (only this one)
4. Add My certificate into the Personal Store
winhttpcertcfg -g -c LOCAL_MACHINE\My -s
"MyCertificateSubjectName" -a
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
IWAM_MachineName
At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
6. So I had to add the second certificate (the provider's public
key)
Post by Frank Schwieterman [MSFT]
Post by Greg
into
Post by Stephen Sulzer
Post by Greg
the Trusted Root Certification Authorities via the MMC
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated in a
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider (equivalent to
CERT_E_UNTRUSTEDROOT).
So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.
Greg
Greg
2004-02-05 13:46:06 UTC
Permalink
You got it guys !
Thnx !
Greg
Post by Frank Schwieterman [MSFT]
Greg it looks like Stephen identified the issue and I'm going to get a doc
bug open on that. But if it was something else, do let me know.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Greg
Hi Frank, and thanks for your interest.
Let me be clearer about this issue.
In the following page, you find the WinHttpRequestOption described.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
I'm assuming this Enum being is zero based. This is confirmed by the VB
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Frank Schwieterman [MSFT]
Post by Greg
p/iwinhttprequest_option.asp
Const WinHttpRequestOption_UserAgentString = 0
Const WinHttpRequestOption_URL = 1
Const WinHttpRequestOption_URLCodePage = 2
Const WinHttpRequestOption_EscapePercentInURL = 3
WinHttpRequestOption_EnableCertificateRevocationCheck == 4
WinHttpRequestOption_SslErrorIgnoreFlags == 5
Which is wrong, as far as WinHttpRequestOption_SslErrorIgnoreFlags == 4
;-))
Please let us know !
Thnx !
Greg
le
Post by Greg
Post by Frank Schwieterman [MSFT]
Hi Greg I'm glad you were to get things working. I'd like to followup
though about the issue you saw with the enum being inverted as I don't
understand the problem as stated. It sounds like you think you found a
bug
Post by Frank Schwieterman [MSFT]
though? Can you expand a bit on the behavior you think was bug, and let
me
Post by Frank Schwieterman [MSFT]
know what you expected and what you saw?
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Frank Schwieterman [MSFT]
Post by Greg
Thanks Stephen,
I had the Option_SSLErrorIgnoreFlags set to 5 as described in the
WinHttpRequestOption enum at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
But there seems to be an inversion in this enum, as far as
Option_SSLErrorIgnoreFlags should be set to 4 instead !
N.B. : By adding the Option with 100H, I could also got rid of the CA
certificate.
Everything is working fine now !
Thanks again,
Greg
"Stephen Sulzer" <sasulzer_at_seanet.com> a écrit dans le message
Post by Stephen Sulzer
Greg,
The ERROR_WINHTTP_SECURE_INVALID_CA error might be a problem with
the
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
server's certificate, not with your client certificate. If it is a
problem
Post by Greg
Post by Stephen Sulzer
with the server's certificate, you can instruct WinHTTP to ignore
the
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
problem as a workaround. This is done by setting a
'SSLErrorIgnoreFlags'
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Const Option_SSLErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
Const SslErrorFlag_CertWrongUsage = 512
Const SslErrorFlag_CertCNInvalid = 4096
Const SslErrorFlag_CertDateInvalid = 8192
Const SslErrorFlag_Ignore_All = 13056 ' Ignore all of the above
WinHttp.Option(Option_SSLErrorIgnoreFlags) =
SslErrorFlag_Ignore_All
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
WinHttp.SetClientCertificate("LOCAL_MACHINE\MY\Gregoire")
WinHttp.Send
For documentation on the SSLErrorIgnoreFlags option, see the
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/htt
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
p/winhttprequestoption.asp
Post by Stephen Sulzer
Hope that helps.
Stephen
Post by Greg
That's it - Thanks !
1. Download & Install WinHttpCertCfgTool (for W2K) from
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
8667-c748e422833f&displaylang=en
2. Launch mmc.exe
3. Add the Certificate SnapIn For Local Computer (only this one)
4. Add My certificate into the Personal Store
winhttpcertcfg -g -c LOCAL_MACHINE\My -s
"MyCertificateSubjectName" -a
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
IWAM_MachineName
At this point I had a
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated
in
Post by Frank Schwieterman [MSFT]
a
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider
(equivalent
Post by Frank Schwieterman [MSFT]
to
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
CERT_E_UNTRUSTEDROOT).
6. So I had to add the second certificate (the provider's public
key)
Post by Frank Schwieterman [MSFT]
Post by Greg
into
Post by Stephen Sulzer
Post by Greg
the Trusted Root Certification Authorities via the MMC
WinHttp.WinHttpRequest error '80072f06'
The host name in the certificate is invalid or does not match
<=>
ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed but terminated
in
Post by Frank Schwieterman [MSFT]
a
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
root
Post by Stephen Sulzer
Post by Greg
certificate that is not trusted by the trust provider
(equivalent
Post by Frank Schwieterman [MSFT]
to
Post by Greg
Post by Frank Schwieterman [MSFT]
Post by Greg
Post by Stephen Sulzer
Post by Greg
CERT_E_UNTRUSTEDROOT).
So may be there's a pb in the certificates themselves..
I'll post back to that forum to let you know anyway.
Greg
j***@gmail.com
2020-02-05 16:52:04 UTC
Permalink
How i can find my client certificate in my computer

Loading...