Is there an extension API which allows to access client certificates? I would like to provide a modified certificate selector based on details of the certificate.
Additionally, as far as I understood, Google Chrome does not provide its own client manager but uses native solutions for client certificate management. Due to this, full certificate management may not be possible by design. But since Chrome allows to generate and import certificates generated by the html5 tag I was wondering if an extension could import client certificates.
Related
So I chose to use Cloudflare's shared SSL certificate with CDN, now the website I sign up for has this certificate shown in the browser:
The "issued to" domain is not my domain, this caused a problem:
The https post API of my program thinks my website does not have a valid certificate
However, when I open up my site with Chrome browser, the secured icon shows up:
It seems that the browser thinks the Cloudflare shared certificate is OK,
while the "issued to" domain is clearly not my domain
So the question is:
Why does the browser trust the shared SSL certificate with "issued to" not matching my domain, while the WebRequest from a C# program does not trust?
Turns out there is a "Subject Alternate Names" field in the certificate details, which allows browsers to trust certificate with non "issued to" domain, big thanks to #SLaks.
The reason why it didn't work on my C# api access is that Unity does not support ECDH(Elliptic-curve Diffie–Hellman) for HTTPS, and Cloudflare only supports ECDH.
So, the HTTPS api to my server through Cloudflare is working for Chrome, but not working for Unity. I searched around and found it does not work for some versions of Monodevelop lineup and Xiamarin as well.
Bug
We have rolled out a lot of chromebooks and for an internal application we need to import a client certificate into Google Chrome. We don't want to let our users import the certificate. After some research we think the best approach is to create a Google Chrome extension, see for details:
http://www.chromium.org/administrators/certificate-management-extension-api-on-chrome-os
The chrome.enterprise.platformKeys is only available for pre-installed extensions within a Google Apps for Work domain which makes development difficult, because you can't easy debug (publishing the extension takes 1 hour). We do have the client certificate locally. How can we use the api to import this certificate (file)? (no CA server)
I'm using Advanced REST Client to test external API which requires me to specify
Connection: Keep-Alive. The connection fails (NO RESPONSE) and inspecting Chrome console I noticed Refused to set unsafe header "Connection" followed by net::ERR_INSECURE_RESPONSE
Is there any Chrome settings that allow me to override this? BTW, the API works when I use external tools like APIGee. I've tried Chrome CORS extension (Allow Control Allow Origin) but still unsuccessful.
The issue is that chrome is refusing to load a resource that has an invalid or expired SSL certificate. Even if you could get it to bypass that it would be a bad idea as it would make man in the middle attacks easier in your application.
My suggestion would be (if you trust the server or if it's running locally) to import that certificate to your store so it's trusted in your development environment. If the cert is expired and it's hosted locally look at the documentation on how to change the certificate or to add a self signed one (which you then also would add to your trusted sites)
How to add a self signed very to your store
For Mac
For windows
You'll have to restart chrome for it to see the certs in the store after doing this
Again, be sure you trust these certs origin as they'll be considered trusted as if a legit CA HAD issued them
I need to connect to a web service via HTTPS in my windows phone 8.0 app. It seems that there is no client SSL support from Microsoft about this issue.
I really need to know how to deal with certificates in WP8. What is the correct certificate? Which certificates need to be imported?
Scenario: I have a https endpoint: https://10.1.1.2 and when I connect there from my PC I am being prompted to view and install the certificate of the server. The certificate name "The Root CA" is being saved locally. The same certificate is installed in the mobile device w/o problems. When I open the https://10.1.1.2 from the mobile internet explorer it informs me that the web page is secure and I have to choose between close and continue the page. I am clicking continue and the https://10.1.1.2 transaction takes place. Every time I go to the same URL via the mobile internet explorer there is no warning to the end user regarding security.
According to Microsoft: In most cases, you do not have to do anything
to enable this for your Windows Phone app with the exception of using
an address that begins with the https:// protocol scheme. Windows
Phone then examines the certificate that is returned by the web
service, and if the certificate is from one of the trusted authorities
listed in SSL root certificates for Windows Phone OS 7.1, the Windows
Phone app platform then uses the certificate in conjunction with the
web service to encrypt all further communication, including the
exchange of the authentication credentials as described previously.
Although you can install trusted certificates on the Windows Phone, in
the current release, the Windows Phone app platform does not expose
those certificates’ values to apps. As a result, in the current
release, you cannot implement mutual authentication scenarios –
scenarios in which the client sends its own certificates to the web
service in addition to receiving one -- using certificates installed
in the root store.
So, is this procedure OK? I cannot use one of the certificate authorities that Microsoft
trusts by default. Do I need code?
Self signed certificate cannot be used and it does not automatically fetch data without intervention.
First of all, when testing your SSL connection through mobile IE, it appears from my testing that by pressing continue you are adding an exception to IE, not installing any certificates or getting the exception to apply phone-wide.
Secondly, using self-signed certificates on WP8 appears to be severely limited by the fact that any cert chain that does not use a built-in root CA will generate a failed certificate validation in your code. See the MSDN blog entry at http://blogs.msdn.com/b/davidhardin/archive/2010/12/30/wp7-and-self-signed-ssl-certificates.aspx
Where he states "You can implement your own certificate authority using Microsoft Certificate Services but you’ll still need a certificate from one of the phone’s certificate authorities to chain your certificate authority to."
The only "solution" I've seen posted is to effectively ignore all certificate warnings - which is no solution at all.
I want to authenticate users with X.509 certificates to my web site.
I can generate an RSA key pair with keygen element of HTML, and then send the SignedPublicKeyAndChallenge structure to the server. The server can then check and sign the public key and generate a X.509 certificate for that key, for the client.
Now, when I signed up at StartSSL, the HTML pages there installed the certificate into my browser’s store without me doing more than clicking a button and I want to do the same. How do I go about that? Send the certificate with a certain Content-Type? Do it with client-side scripting? How do the browser know it’s supposed to install a client certificate?
I know I can tell the user to install it manually, but if it can be automated, then I want to make it so.
You want return the signed certificate file with the application/x-x509-user-cert mime type. The browser should then offer to download or install that client credential.
For further reading, see https://pki-tutorial.readthedocs.org/en/latest/mime.html.
I am working on a very similar application for my own websites.