request client certificate

[thiago-molive]

how can i request client certificate to authenticate on other api?

I have to use the client's certificate as a way to authenticate in an external api, but i had the message "HTTP request is prohibited with 'Anonymous' client authentication scheme."

i sended PEM from frontend to backend and cast in x509Certificate

[rmhrisk]

Fortify does not implement TLS. You can enroll for a certificate with it but you would use that cert with a TLS implementation.

[thiago-molive]

hi @rmhrisk rmhrisk, thank u for your quickly response.

i'm implement this functionality but i can't use private key of and existing certificate to make handshake on tls. Any idea on how can i use it to comunicate with the api?

I'm currently passing the A1 certificate via fs.readFileSync(path) for test, but I can't use it like that. i want to use all the power of fortifyapp which is a wonderful app.

[rmhrisk]

My guess is you are trying to export the cryptographic key and then use it via a non-webcrypto implementation? If instead you use webcrypto (https://github.com/diafygi/webcrypto-examples) and use the initialized crypto object you will be able to perform the needed operation with an existing key / certificate).

[thiago-molive]

i can do it with public key, my problem is private key, i can't export;

example:

// public key pem in buffer
var selectedCert = this.getMemoryStorage().item(idKey).item;
selectedCert = await n.certStorage.exportCert('raw', certificado);
selectedCert = Buffer.from(an.PemConverter.fromBufferSource(selectedCert , 'CERTIFICATE'));

// private key i'm get with (only for tests)
var key = fs.readFileSync(initPath + '/key.pem');

const agent = new https.Agent({
                        requestCert: true,
                        rejectUnauthorized: false,
                        key: key,
                        cert: selectedCert,
                        passphrase: 'password',
                        ca: ca
                        });

i need change the key and passphrase to use CryptoKey obj and popup password, but I don't know how to do this.

[rmhrisk]

You wont be able to export private keys from tokens, the purpose of the tokens is to keep the private key safe. export goes against that objective. You will need to use handle to the key.

[thiago-molive]

hello Ryan, I've been trying to implement this for some time and I'm short on deadline. Do you provide commercial support to develop this functionality?

my contact: thiago.zeyu@gmail.com

[rmhrisk]

If you can use WebCrypto with a non-extractable key it should work with Fortify fine; if you can verify your code works with WebCrypto non-exportable keys the change to use Fortify is trivial no need for a support contract.

[thiago-molive]

so can you help me? For isn't easy to do that

[rmhrisk]

What I recommend is creating the smallest example of using a pre-existing webcrypto key you can and then graft that into your larger example.