Start a new topic
Solved

Chrome-Plugin doesn't support SSL-Client-Certificate

In my company many websites or services use authentification via SmartCard/SSL-Client-Certificate in Chrome/Edge.

But when I open a website via RoyalTS the popup for certificate selection doesn't promt.


image



Hi Frank,


I looked into the implementation and found out that we need to implement it differently in order to make it work. It's actually not possible to load certs from the disk like I thought it would but we can provide the "Windows System Dialog" to select a certificate which matches the requirements. In case no certificate is installed in the user's certificate store, it will show a message like this:

If the certificate is installed in the user's certificate store, you will get a prompt like this:

Depending on the certificates installed, you may need to click on "More choices" like shown above to see the correct one (in my test I'm using the BadSSL test web site: https://badssl.com/)


Once selected, the site should work.


On caveat though: if a wrong certificate was chosen by mistake or the certificate is installed after the dialog appeared, you may need to restart Royal TS in order to force the Chromium engine to ask for a client certificate again. Somehow it seems to get cached until the process has been restarted. The Chrome browser behaves the same way...


Maybe you can do a quick test using this build and let me know if it's working for you:

https://download.royalapps.com/RoyalTS/RoyalTSInstaller_6.01.10324.0.msi 

https://download.royalapps.com/RoyalTS/RoyalTS_6.01.10324.0.zip 


Thanks!


2 people like this

Hi Stefan,


thanks for the fast reply - I'm able to to test/verify it, I think the best way is to give RoyalTS the path where the certificate is located.


Greetings

Frank

Hi Frank,


the component we use to embed the Chromium render engine doesn't support the client certificate selection out of the box. When the server needs a client certificate it will raise an event to provide an X509 certificate:

https://www.essentialobjects.com/doc/eo.webbrowser.webview.needclientcertificate


To create an X509 certificate we can either point to a file or pass in a byte array containing the certificate (with the password if needed). Very similar to the private key file. I guess we could provide the two or at least one of them but we don't really have any kind of test environment to verify the implementation.


Would you be able to test/verify an implementation in a beta release?

Which method would you prefer (pointing to a cert file or importing it into the .rtsz)?


Regards,
Stefan

Login or Signup to post a comment