4

How can I read certificates from a PKI card?

I tried finding answer on the Internet but I didn't get any good results.

Any ideas how to get the certs from a PKI card?

I need to sign some forms with a certificate key. All this will happen in a web app.

Later...

I didn't tried much because I don't have a point to start. I've just learned that all of the certs are read by Windows when you insert the card. This way I think I can get them using X509Store. I'll try it and I'll be back but still I'm in the need of some help.

tzortzik
  • 4,993
  • 9
  • 57
  • 88
  • 1
    This has the makings of a very good question, but can you expand on what you've tried and any sample code you've already written? – Adrian Wragg Mar 18 '14 at 12:31
  • 1
    You will need a plugin which reads the card on the client machine, then can transmit it to your server. If you just use X509Store in your ASP.NET backend, it will expect a card on the server. – Alexander Mar 18 '14 at 12:38
  • @Alexander Any ideas on where to start with this? – tzortzik Mar 18 '14 at 12:40
  • possible duplicate of [Sign data using smart card's private key with ASP.NET, Windows Authentication, and Impersonation](http://stackoverflow.com/questions/16152210/sign-data-using-smart-cards-private-key-with-asp-net-windows-authentication-a) – Alexander Mar 18 '14 at 12:52
  • 1
    I'm afraid this will answer your questions: http://stackoverflow.com/questions/16152210/sign-data-using-smart-cards-private-key-with-asp-net-windows-authentication-a – Alexander Mar 18 '14 at 12:52
  • I think this answer my question. But... Again... I found this http://en.wikipedia.org/wiki/CAPICOM . I know little about CAPICOM and this is the component that is beeing used right now. In that link they say that CAPICOM has been replaced ` with .NET Framework's X509 Cryptographic Classes and a number of other alternatives.`. Is this possible using X509 classes? – tzortzik Mar 18 '14 at 13:01
  • And in the link @Alexander provided it is said that you need a card reader. I already have it. – tzortzik Mar 18 '14 at 13:06
  • if you don't want to use CAPICOM and want a cross-platform solution you can use https://pkcs11interop.net/ which gives much more access to your PKI card – Prashanth Mar 12 '19 at 09:18

1 Answers1

5

As soon as you plugin in your SmartCard the certificates are copied to your local, personal certificate store. You can use "certmgr.msc" (run -> enter) to have a look at these certs.

You can access the certificates, as well as the associated private keys, with the X509Store. But of course you can only do it locally on your machine due to security reasons. Imagine every website would have access to your private keys... How to Sign and Verify the signature with .NET and a certificate (C#)

If you are using CAPICOM, you will still need to execute code on the local machine (JavaScript). You find the following statement here :

[CAPICOM is a 32-bit only component that is available for use in the following operating systems: Windows Server 2008, Windows Vista, Windows XP. Instead, use the .NET Framework to implement security features. For more information, see the alternatives listed below.] Important None of the alternatives to CAPICOM offer a solution for scripts; therefore, you must write your own ActiveX control. For more information, see ActiveX Controls.

Which indicates that the .Net classes are not a "full" replacement to CAPICOM. So you can't use the "X509" classes in JavaScript.

If you want to use a client side private certificate to sign some data (assume a hash), you need to run code on the client. Here are some ideas what you could do:

  • Write an ActiveX control
  • Write browser Plugin(s)
  • Write an application which can be called by using a custom URI schema (can't post another Link, google it and you will find it).

Of course you need to retrieve the data on the server side and for the last solution you may need a kind of a webservice.

Conclusion

Don't be confused about private and public keys from a certificate. There are scenarios where you send a certificate to the server for e.g. authentication. But then its your public key. You should never send your private key around (of course technically its possible).

msallin
  • 862
  • 1
  • 8
  • 16