This document explains how to use certificate authentication when connecting to a site that requires certificate authentication. We are using Indy components on the client side and some server (MS IIS, Apache, …) on the server side. In the example we will be using http protocol, cause it is very easy to set such an environment.
First of all we must get certificates and private keys for the client. Let's suppose that we got some private key/certificate pair from some Certificate Authority (like Verisign) and we have this listed in MS IE in Personal Certificates Store.
Task 1. Convert the certificate from MS format to PEM format used by OpenSSL
First we have to export the certificate, I don't write down but it is assumed that also private key is exported, to the PFX file (personal exchange format). We can protect this file with some password, but for let's not for the sake of example.
When we have this file, in our case is test_b.pfx, we have to convert it to PEM format. With IndySSL dll's we distribute also the precompiled openssl.exe utility that can be used to do the conversion.
The proper parameters are:
openssl.exe pkcs12 –in test_b.pfx –out test_b.pem
we will be asked to provide the password, first to unlock the pfx file (we didn't specify it) and then password for locking the private key part in pem file. We can specify this password that will be latter used to unlock the private key in the demo. Le't suppose that we use ?aaaa? for the password (four letters a).
If we look at the PEM file we will notice that we have two parts in it. The private key file and the certificate (public key) part and some informational statements. We should divide those two parts in separate file, cause we need them separated in Indy SSL clients.
So, let's create a first file called test_b_key.pem and copy/paste every thing between
-----BEGIN RSA PRIVATE KEY----- and
-----END RSA PRIVATE KEY-----
and those two lines included in this new file and save it.
Create also the certificate file called test_b_crt.pem and copy/paste every thing between
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE-----
and those two lines included in this new file and save it.
Now we need also the Certificate Authority certificate file. This can be obtained from the MSIE in Trusted Root Certificate Authority. Select the Authority that issued your certificate and export it in Base64 (cer) format. This format is also the same like PEM format so you can easily rename the file test_b_ca.crt to test_b_ca.pem and you have the proper file.
We have now all the files that we require so we can start coding in Delphi.
Let's create a new application.
Put IdHTTP component and IdSSLIOHandlerSocket on it and save the project.
Now we will specify those certificate files in the IdSSLIOHandlerSocket component.
Set the property:
- CertFile to test_b_crt.pem,
- KeyFile to test_b_key.pem,
- RootCertFile to test_b_ca.pem.
Set the property Method to sslvSSLv23 so the ssl protocol will negotiate the proper mode (SSL ver2 or SSL ver3) automatically.
Set the property VerifyDepth to 2, this means that we accept the server certificate (that we connect to), up to 2 levels of Certificate Chain (CA1 -> CA2 -> Server certificate). In our case we have only one level so value 2 will be fine.
Now we have to connect the components IdHTTP to IdSSLIOHandlerSocket. This is done by choosing the IdSSLIOHandlerSocket1 in IOHandler property of IdHTTP1 component.
Set the Port of IdHTTP1 to 443, that is the HTTPS protocol port.
Create a OnGetPassword event, that will be fired when the client will need to access the private key. In this event handler you specify the password for unlocking the key.
procedure TForm1.IdSSLIOHandlerSocket1GetPassword(var Password: String);
begin
Password := 'aaaa';
end;
Now, add a button on a form that will trigger the read of http address, and a memo box that will show the results. We used something like this:
procedure TForm1.Button1Click(Sender: TObject);
begin
Memo1.Clear;
Memo1.Lines.Text := IdHTTP1.Get('https://rotel/test/');
end;
Now you can set the verify options like sslvrfPeer, will force checking if the other side has a proper valid certificate, sslvrfFailNoPeerCert, will check if the other side has the certificate (used in server applications mostly), sslvrfClientOnce, will check the certificate only once in the ssl session - not all requests will be checked.
If you specify the OnVerifyPeer event, you can additionally check the properties of other side certificate, for example a valid user certificate properties that match your user database, role of user or something like this.
Note that you have to set the property VerifyMode to verify Peer if you want to event OnVerifyPeer get triggered.
Sample of verification code:
function TForm1.IdSSLIOHandlerSocket1VerifyPeer(Certificate: TIdX509): Boolean;
begin
if Pos('INTELICOM', UpperCase(Certificate.Subject.OneLine)) > 0 then
Result := True
Else
Result := False;
end;
If you return the True value then the client will be authorized, elsewhere it will not. Either way the other side certificate must be valid. The purpose of this event is to narrow the group of users with valid certificates.
[ zz from http://www.intelicom.si/domcms.nsf/web/en.products001.html ]