Sample code for 30+ languages & platforms
C++

HTTPS Client Certificate using Smartcard or Token

See more HTTP Examples

Explains how to use a client certificate for HTTP TLS mutual authentication where the certificate and private key exists on an HSM (Smartcard or USB Token).

Chilkat C++ Downloads

C++
#include <CkHttp.h>
#include <CkCert.h>

void ChilkatSample(void)
    {
    bool success = false;

    CkHttp http;

    //  To do HTTPS mutual authentication where the certificate and private key are stored
    //  on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
    //  and then pass the certificate object to the Http object's SetSslClientCert method.

    //  Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
    //  The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
    //  Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
    //  .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
    CkCert cert;

    //  The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with 
    //  an empty string argument.  Chilkat will detect the HSM and will choose the most appropriate
    //  underlying means for accessing and loading the default certificate + key from the HSM.
    //  The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
    //  supports.

    //  For example:
    //  If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
    cert.put_SmartCardPin("12345678");

    //  To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
    //  When testing in this way, it's best to have only a single smartcard or token connected to the system.
    success = cert.LoadFromSmartcard("");
    if (success == false) {
        std::cout << cert.lastErrorText() << "\r\n";
        std::cout << "Certificate not loaded." << "\r\n";
        return;
    }

    //  If there are multiple certificates stored on the smartcard/token, then 
    //  you can be more specific.  See these examples:

    //  Load a Certificate from an HSM by Common Name
    //  Load a Certificate from an HSM by Serial Number

    //  It may be that you need to code at a lower level with a specific
    //  supported interface, such as PKCS11.
    //  See these examples:

    //  Use PKCS11 to Find a Specific Certificate
    //  Use PKCS11 to Find a Certificate with a Specified Key Usage

    //  Once you have the desired certificate, pass it to SetSslClientCert.
    //  Set the certificate to be used for mutual TLS authentication
    //  (i.e. sets the client-side certificate for two-way TLS authentication)
    success = http.SetSslClientCert(cert);
    if (success != true) {
        std::cout << http.lastErrorText() << "\r\n";
        return;
    }

    //  At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
    //  connection will automatically use it if the server demands a client-side cert.
    }