9.8 Client certificates

Whereas server certificates authenticate a Web site to a browser, a client cer- tificate authenticates a browser to a server. Client certificates are only used for maximum-security Web sites, such as online business banking. Client certificates are available free of charge from Thawte. They are used to send and receive encrypted emails and to authenticate your email address to recipients. You will need to have a passport or social security number to receive a client certificate.

A basic client certificate only authenticates the email address, not the person who sent the email. To get your name on the certificate, you need to

Chapter 9

240 9.8 Client certificates

Figure 9.5

Internet Explorer Certificates dialog.

have a bank manager or attorney vouch for your identity. The rest of this section assumes that you have, at this point, received a client certificate from Thawte.

To view the client certificates installed on your system, open Internet Explorer. Click on Tools→ → → →Internet Options→ → → →Content→ → → →Certificates (Fig- ure 9.5).

Clicking on View→ → → →Details→ → →Subject on this screen will show which → email address this certificate authenticates. Pressing Export will produce an X.509 ( .cer ) file, which is used in the next example program.

9.8.1 Microsoft Certificate Services

As mentioned earlier, you cannot download a software package that will create globally acceptable X.509 certificates on the fly because the certificate issuer needs to be trusted in order for the certificate to be meaningful. Cer- tificate issuers are to legally required enforce policies and have their private key fully insured against theft.

9.8 Client certificates 241

Organizations may require internal security (e.g., in a university, the servers that hold student grade information would need to be authenti- cated, to ensure that a student is not using a “poisoned” DNS server to impersonate one of the servers). In this scenario, it might be expensive to buy certificates for every server, and there is no need for people from out- side the campus to access the servers, let alone trust them. This is where Microsoft Certificate Services (MSCS) is used.

MSCS runs on Windows 2000 and can generate X.509 certificates in PKCS #7 format from PKCS #10 certificate requests. MSCS can run as either a root CA or subordinate CA and can optionally hold certificates in the active directory. When used in conjunction with the active directory, MSCS will use this as its certificate revocation list (CRL).

A CRL is a publicly accessible list of serial numbers of certificates that have been compromised or have been shown to have been fraudulently acquired. Verisign holds its CRL at http://crl.versign.com.

9.8.2 Reading certificates

Certificates can be read using the X509Certificate class (Table 9.2) in .NET.

Table 9.2 Significant methods and properties of X.509 certificates .

Method or Property

Description

GetCertHashString Returns the hash value for the certificate as a hexadecimal string

GetEffectiveDateString Returns the effective date of this certificate GetExpirationDateString

Returns the expiration date of this certificate GetFormat

Returns the name of the format of this certificate GetIssuerName

Returns the name of the certification authority that issued the certificate

GetKeyAlgorithm Returns the key algorithm information for this certificate

GetKeyAlgorithmParameters Returns the key algorithm parameters for this certificate

GetName Returns the name of the principal to which the certificate was issued

Chapter 9

242 9.8 Client certificates

Table 9.2 Significant methods and properties of X.509 certificates (continued).

Method or Property

Description

GetPublicKeyString Returns the public key for the certificate GetRawCertDataString

Returns the raw data for the entire certificate GetSerialNumberString

Returns the serial number of the certificate

To write a short .NET application to read certificate files, create a new project in Visual Studio .NET. Draw two textboxes named tbCertFile and tbDetails . Add two buttons, btnBrowse and btnExamine . You will also require a File Open Dialog control named openFileDialog .

Click on the Browse button and add the following code:

C#

private void btnBrowse_Click(object sender, System.EventArgs e)

openFileDialog.ShowDialog(); tbCertFile.Text = openFileDialog.FileName;

VB.NET

Private Sub btnBrowse_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles btnBrowse.Click

openFileDialog.ShowDialog() tbCertFile.Text = openFileDialog.FileName

End Sub

Once we have the name of the certificate file, we can use an X.509certificate object to decrypt the file and extract some pertinent information.

Now click on the Examine button and enter the following code:

C#

private void btnExamine_Click(object sender, System.EventArgs e) {

X509Certificate x509 = X509Certificate.CreateFromCertFile(tbCertFile.Text);

9.8 Client certificates 243

tbDetails.Text = x509.GetName(); tbDetails.Text += x509.GetIssuerName();

VB.NET

Private Sub btnExamine_Click(ByVal sender As _ System.Object, ByVal e As System.EventArgs) _ Handles btnExamine.Click

Dim x509 As X509Certificate x509 = X509Certificate.CreateFromCertFile(tbCertFile.Text) tbDetails.Text = x509.GetName() tbDetails.Text += x509.GetIssuerName()

End Sub

You will also need to include the relevant namespace:

C#

using System.Security.Cryptography.X509Certificates;

VB.NET

Imports System.Security.Cryptography.X509Certificates

Figure 9.6

Digital certificate reader application.

Chapter 9

244 9.9 Permissions in .NET

To test the application, run it from Visual Studio .NET. Click Browse, and locate your .cer file on disk, which you have previously exported from Internet Explorer. Press Examine, and you should see information about the issuer and the certificate owner, as is shown in Figure 9.6.