Forum Discussion
William_Them_99
Nimbostratus
NimbostratusClient Certificate data format
I am trying to combine the client certificate functionality of iRules with a backend .NET application. Our iRule base 64 encodes the client certificate, then inserts it into the header and sends it along to the .NET page.
The .NET page then uses a built-in function to decode the base 64 encoded certificate data. This is where my problem occurs. When I decode the base 64 data from the HTTP header and try to load it as a certificate in .NET, I receive invalid input errors.
From what I've found, .NET's certificate functionality only works with certificates in the DER format. So even though I am decoding the base 64 data, the original format from the BIGIP is not compatible.
Does anyone know what format the certificate is in when it is grabbed by an iRule? Is there a way to convert it to DER before I base 64 encode it? I am guessing not, but it would be helpful to know what the original format actually is.
Thanks for any help.
-Bill
William_Them_99Just getting this post back in the limelight after the holiday break - anyone have any thoughts here?
Thanks.- William_Them_99Also - is there a built-in function to encode in Hex as you can in base 64? (e.g. the b64encode function).
We think we have narrowed the problem down to the fact that some of the special characters in the certificate data perhaps cannot be correctly encoded in base 64 and so on the other end, the data is invalid. - The Tcl command "binary format" can be used to encode hex.
This seems strange as base64 should handle any byte as it was designed for 8-bit characters. - William_Them_99Thanks - ran across that command too.
We ended up using the [X509::whole $the_cert] functionality to put the entire cert in the header - this put it in the PEM format, and then I can convert it to DER on the .NET box. Seems to work well.
I appreciate the reply - thanks. 
Scott_Kerber_82Could you share the .Net code you used to do tthe conversion?
Thanks- William_Them_99Here is the code:
'create a file name for the temporary storage of the certificate to disk and its converted form temp_file_name = "cert_PEM_" & Replace(Replace(DateTime.Now.TimeOfDay.ToString.Replace(".", "_"), ":", ""), " ", "") & ".cer" temp_output_file_name = "cert_DER_" & Replace(Replace(DateTime.Now.TimeOfDay.ToString.Replace(".", "_"), ":", ""), " ", "") & ".cer" file_save_result = SaveTextToFile(certificateContent, temp_file_name) 'create a new process that runs the CRL utility to dump the CRL file contents to a text file CertConversion = System.Diagnostics.Process.Start(certConversionBatchPath, temp_file_name & " " & temp_output_file_name) 'wait until the process completes before continuing CertConversion.WaitForExit(1000) 'close the process CertConversion.Close() CertConversion.Dispose() CertConversion = Nothing 'using the created .cer file, load it as a certificate object cert = X509Certificates.X509Certificate.CreateFromCertFile(temp_output_file_name) 'delete the temporary .cer file and its converted form File.Delete(temp_file_name) File.Delete(temp_output_file_name)
It depends on a free utility from Microsoft called CERTUTIL.EXE which you can Google and download. For some reason, I had problems in .NET calling CERTUTIL.EXE directly with the parameters, so I had to create a batch file with the following content:CERTUTIL.EXE -decode -f %1 %2
Where %1 is the passed-in source filename and %2 is the passed-in output filename - so the code calls the batch file which then calls CERTUTIL.EXE
