Windows GIT using HTTPS client auth from smartcard token

Question

On Windows, how does one configure GIT to prompt or otherwise use a client HTTPS certificate when connecting to an HTTPS repository that requires HTTPS Client authentication?

Complications:

SSL is blocked by firewalls, can't sidestep the problem.
Private Key is locked onto smart card, cannot extract or replace.

If you mean: a card-generated *ssl* certificate, I don't know that you can do this at all. If you mean instead: a card-generated *auth token for login* over https using a static certificate, you'll just need to write your own Git credential manager that defers to the smart-card. — torek, May 06 '22 at 00:40
This kind of client authentication: https://www.jscape.com/blog/client-certificate-authentication PKCS12, but the private key is kept on a smart card and the smart card does all of the heavy lifting with it, so the host never sees the private key either. I cannot extract it. The web server is requiring it prior to GitLab doing any of its authentication. — IMarvinTPA, May 06 '22 at 13:07
OK, they're talking about the TLS handshake and talking about setting up plugins for browsers where the plugin takes over the entire handshake process. Git uses the OS's `libcurl` library to do the TLS handshake (not a browser), so you'll be dependent on whether the OS's `libcurl` as used in Git even *allows* this kind of intercession in the first place. Interposing arbitrary software like this is tricky (and has OS-level security implications; browsers can get away with it by being their own separate ecosystems). You'll need a serious Windows expert here. — torek, May 07 '22 at 01:42

score 0 · Accepted Answer · answered May 09 '22 at 12:25

0

Solution:

    git clone -c http.sslCert="CurentUser\MY\[thumbprint of cert]" [URL]

Or .gitconfig:

    [http]
        sslCert=CurrentUser\\MY\\[thumbprint of cert]

PS, for CURL, it is --cert or -K "CurrentUser\MY[thumbprint]"

answered May 09 '22 at 12:25

IMarvinTPA

54
7

Found the path needed from the answer to https://stackoverflow.com/questions/55386742/failed-to-get-certificate-location-in-libcurl – IMarvinTPA May 09 '22 at 12:38

score 0 · Answer 2 · edited Jun 13 '23 at 10:19

0

I just want to say that IMarvinTPA's answer worked great for me, I did have to do one other thing however:

.gitconfig

[http]
sslbackend = schannel
sslCert=CurrentUser\\MY\\[thumbprint of cert]

EDIT: Sorry I did not have the reputation to just comment on the answer

edited Jun 13 '23 at 10:19

YoshiMbele

767
1
12

answered Jun 12 '23 at 16:13

Brandon M.

13
5

Good catch, I always defaulted to schannel. I think in some documentation I wrote later, I had that as a critical part though. This also works for soft-certs if you have them, just a little easier to work with. – IMarvinTPA Jun 13 '23 at 17:37

Windows GIT using HTTPS client auth from smartcard token

2 Answers2