Support client certificate authentication for Smart Card

[arunsingh0708]

I am using Postman Native app.How can I use desktop Postman when client certificate is on smart card? I can not point to a crt or pfx file, since private key will never leave smart card. What are the options for this?

[SamvelRaja]

Thanks for bringing your concern here, we shall analyze the possibilities and provide a solution for this. At present, providing the key file is the only option we have.

[pvdev]

Hi, Just wondering if there has been any progress here. I'd be interested in this solution also. There does seem to have been strides with node.js and pkcs11. My hope would be an interface similar to FireFox where you can attach to a PKCS11 interface and thus pick up any hardware crypto. HSPD-12 and CAC included.

Thanks!

[senseiweb]

Hey guys...checking the pulse on this particular issue...now that the Chrome version is showing as deprecated, is there any current workarounds or implementations to allow the use of Smart Card authentication.

[codenirvana]

@pvdev @senseiweb We have started working towards adding support for PFX certificate, for updates follow this thread #2494

[RandyAvis]

Last comment I saw was from February. Still needing SMART CARD support, not just PFX. Need to be able to pull certificate from a card. Please don't kill the Google app until you have this working.

[pvdev]

Yes, PFX is a file format. PKCS#11 is the standard for interfacing with hardware type devices. There is some work going on. See PKCS11.js. Once your PKCS11 interface is in place you should be able to use the associated libraries from vendors like ActivIdenity or open source like OpenSC.

[shimonacarvalho]

Any word on smart card support?

[juanjozorry]

Please this is a feature we currently need. We can not stop using the Chrome app until the Smart Card feature is implemented in the desktop application.

[juanjozorry]

Hi again. A teammate is installing a new development machine and the Crome app is not available to install. Please we need smartcard support on the desktop app. Thank you for your support.

[cnizzardini]

Use "Authorize using browser" option. This will open in your browser which should support PIV authentication.

[micheljung]

"Authorize using browser" only exists for OAuth

[ThatTallProgrammer]

"Authorize using browser" only exists for OAuth

Can confirm. My team and I are unable to find a way to use smartcards with this system. Is there any update to this issue?

[rogeruiz]

Hey folks, I'm curious if there is a better place to track progress on this feature?

I am currently researching other solutions using the Postman SDK, but am still getting familiar with Postman. I'm set to watch this Issue, but if there is another place I should be listening for updates on this topic, please let me know. Thank you.

cc: @postman-support

[franchyze923]

I'm in need of a way to use a smart card with Postman as well.

[rogeruiz]

Thanks @codenirvana it seems I missed this earlier comment but PFX support exists in Postman. So I should be able to solve my issues. I'll post something in this thread about how to do it if that helps future folks, but I think closing this ticket might be a good idea for future folks digging around Support requests.

👀 https://github.com/postmanlabs/postman-app-support/issues/2494#issuecomment-485894474

[aliciadavis]

I need a way to select a certificate from my smart card with postman. I cannot export the private key. I need a way to be prompted to select my certificate.

[pelesfire19]

Is there any update to this? Still needing to allow certificate on smart card for API authentication testing

[Jipwox]

the PFX certificate file is not a solution to this issue. When performing LDAP / Active Directory auth testing you can't just use a self signed cert file you make yourself if you are testing against a service you don't own. The ability to pass along a smart card's cert is critical for testing especially against military / DoD systems. Please make this a higher priority.

[adamkorynta]

the PFX certificate file is not a solution to this issue. When performing LDAP / Active Directory auth testing you can't just use a self signed cert file you make yourself if you are testing against a service you don't own. The ability to pass along a smart card's cert is critical for testing especially against military / DoD systems. Please make this a higher priority.

Agreed

[richfergus]

Yes.. I am forced to build my own tools @postman-staff Any chance you can at least tell us if this is a possibility?

[ale-rinaldi]

As a workaround, you may consider using https://github.com/porech/pkcs11-web-proxy to play locally with an API behind PKCS#11 authentication with any tool you like without thinking about authentication.