What subject to use for SetClientCertificate?

Question

I'm trying to send a request with:

ActiveXObject("WinHttp.WinHttpRequest.5.1")

however this requires a client certificate to do so (which we have been provided).

Having tested in PHP cURL I can do so with:

curl_setopt($SOAP, CURLOPT_SSLCERT,$filepathtocertificate);

Which works fine. However I must use IIS running asp(javascript) and point to the certificate store of the machine the script is running on with:

 SetClientCertificate("LOCAL_MACHINE\\Personal\\Certificate subject");

for our actual deployment. The MS documentation (http://msdn.microsoft.com/en-us/library/windows/desktop/aa384055(v=vs.85).aspx) suggests that the path above has to state the 'subject' of the certificate, however the certificate seems to have several subjects and no combination of several or all of them seems to yeild any results and I am stuck with the following error before the request is even sent:

WinHttp.WinHttpRequest error '80072f0c'

A certificate is required to complete client authentication

Looking in the certificate store and using other scripts in the same folder show they are definitely there but have subjects like:

C=US, O=Organisation NAme, OU="Another Organisation Name, Inc.", CN=Organisation Name Root

Or similar.

Any advice on what parameters SetClientCertificate needs to be given to select and send certificates in the certificate store would be much appreciated.

Answer 1

I had a lot of trouble with this same issue - using winhttp 5.1 from a scripting language to set a client certificate before a send.

I had used mmc with the certificates snap-in to import the certificate in CURRENT_USER \ Personal - but the Winhttp SetClientCertificate didn't seem to be doing anything, nor was I able to pick up any error code or message so it was a case of repeated trial and error - the SetClientCertificate string should be something like "Location\store\subject" eg "CURRENT_USER\Personal\My Certificate" (or \ \ if your language requires \ to be escaped) -the final part being 'subject' which is not as clear as it should be. Under MMC the subject is broken into many elements.

I eventually got it working by dropping the location and store - they were the defaults so I may have been fortunate - and providing just the subject field - the value I used for the subject field was the value in the line "CN = " under subject (when the cert is opened under mmc) - but this (perhaps coincidentally) was also the value in the 'Issued To' column on the main mmc certificate list. In my case it worked - clearly if there is a cert with these two values different then you'd need to try each.

Hope this helps if somebody is similarly stuck.

Answer 2

This is a very old question yet I had to find an answer today. The answer provided above by @JSL helped me. If you only provide the certificate subject name then it works! So it is clear that there is a mistake in the way full path is specified.

I got the right info for Windows 7 from this link https://msdn.microsoft.com/en-us/library/windows/desktop/aa384076(v=vs.85).aspx

here is VBA script that works.

Dim objHttp As New WinHttp.WinHttpRequest
objHttp.Open "GET", url, False
objHttp.SetClientCertificate "CURRENT_USER\My\TestCert"
objHttp.send

Valid locations are LOCAL_MACHINE and CURRENT_USER and Valid store names are "MY", "Root", and "TrustedPeople". Remember to escape the backslashes in C++, C# etc.