Use openssl, requests and wincertstore to Get Client Certificates

Question

I have code to walk through my wincertstore and find a certificate by name and/or thumbprint.

if os.name == 'nt':
    for storename in ["MY"]:  # "ROOT", "CA",
        with wincertstore.CertSystemStore(storename) as store:
            for cert in store.itercerts(usage=wincertstore.CLIENT_AUTH):
                print(cert.get_name())
                print(cert.cert_type)
                print(cert.enhanced_keyusage_names())
                # pem = cert.get_pem()
                # encodedDer = ''.join(pem.split("\n")[1:-2])
                # cert_bytes = base64.b64decode(encodedDer)
                cert_pem = ssl.DER_cert_to_PEM_cert(cert.get_encoded())
                cert_details = x509.load_pem_x509_certificate(
                    cert_pem.encode('utf-8'), default_backend()
                )
                serial_number = hex(cert_details.serial_number).replace("0x", "")
                cert_details.fingerprint
                if cert.get_name().lower() == find_name.lower():
                    pem_data = cert.get_pem()
                    break
if pem_data:
   f = open('./mycert.pem', 'w')
   f.write(pem_data)
   f.close()
   del f

import requests 
resp = requests.get(<some url>, cert='./mycert.pem')

This gives an SSL Error:

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='*****.e***.com', port=443): Max retries exceeded with url: /gis/sharing/rest/portals/self/servers?f=json (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3932)')))

So what else do I need to pull from the window's certificate store to pass the client certificate?

The code above is an example that works. I can't share a PKI certificate. — JabberJabber, Jul 07 '21 at 12:17
@NizamMohamed I believe you can extract the certificate from the store with both key/cert. Using the pythonnet library I can get the certificate, but it seems really odd that there is no package to work with windows cert stores really. — JabberJabber, Jul 14 '21 at 09:35
The private key to your local certificate must be unencrypted. Currently, Requests does not support using encrypted keys. — Nizam Mohamed, Jul 14 '21 at 10:17
`wincertstore` provides an interface to access Windows’ CA and CRL certificates. And you're talking about **client** certs! — Nizam Mohamed, Jul 14 '21 at 10:36
`wincertstore` is deprecated. Since Python 2.7.9 `ssl.create_default_context()` automatically loads certificates from Windows’ cert store. — Nizam Mohamed, Jul 14 '21 at 10:38
ok so ssl.create_default_context() is better, but it's still the same issue. You can parse the wincert store items into cert/ private keys. — JabberJabber, Jul 19 '21 at 17:57

score 0 · Answer 1 · answered Jul 07 '21 at 16:32

0

I think you might be running into a bug on urllib3 Try updating it to the latest version:

https://pypi.org/project/urllib3/#changes

answered Jul 07 '21 at 16:32

Technoob1984

172
9

Can you explain what you are pointing out a bit more? – JabberJabber Jul 08 '21 at 10:32
1

Hey JabberJabber, Sorry been AFK for a bit. When I researched the error I found that link I shared. It talks about urllib3 is being deprecated. I just took a fresh look and I actually think you are feeding the wrong information from your pem_data variable. Here is another overflow that talks about it: https://stackoverflow.com/questions/24160244/why-httpsconnectionpool-doesnt-work-when-poolmanager-does Can you confirm pem_data is a hostname or IP and not a URL of some sort? Thanks – Technoob1984 Aug 12 '21 at 14:42

Use openssl, requests and wincertstore to Get Client Certificates

1 Answers1