Sample code for 30+ languages & platforms
DataFlex

HTTPS Mutual Authentication using Smartcard or Token

See more HTTP Examples

Explains how to do HTTP TLS mutual authentication using an HSM (Smartcard or USB Token).

Chilkat DataFlex Downloads

DataFlex
Use ChilkatAx-win32.pkg

Procedure Test
    Boolean iSuccess
    Handle hoHttp
    Variant vCert
    Handle hoCert
    String sTemp1

    Move False To iSuccess

    Get Create (RefClass(cComChilkatHttp)) To hoHttp
    If (Not(IsComObjectCreated(hoHttp))) Begin
        Send CreateComObject of hoHttp
    End

    // To do HTTPS mutual authentication where the certificate and private key are stored
    // on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
    // and then pass the certificate object to the Http object's SetSslClientCert method.

    // Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
    // The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
    // Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
    // .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
    Get Create (RefClass(cComChilkatCert)) To hoCert
    If (Not(IsComObjectCreated(hoCert))) Begin
        Send CreateComObject of hoCert
    End

    // The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with 
    // an empty string argument.  Chilkat will detect the HSM and will choose the most appropriate
    // underlying means for accessing and loading the default certificate + key from the HSM.
    // The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
    // supports.

    // For example:
    // If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
    Set ComSmartCardPin Of hoCert To "12345678"

    // To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
    // When testing in this way, it's best to have only a single smartcard or token connected to the system.
    Get ComLoadFromSmartcard Of hoCert "" To iSuccess
    If (iSuccess = False) Begin
        Get ComLastErrorText Of hoCert To sTemp1
        Showln sTemp1
        Showln "Certificate not loaded."
        Procedure_Return
    End

    // If there are multiple certificates stored on the smartcard/token, then 
    // you can be more specific.  See these examples:

    // Load a Certificate from an HSM by Common Name
    // Load a Certificate from an HSM by Serial Number

    // It may be that you need to code at a lower level with a specific
    // supported interface, such as PKCS11.
    // See these examples:

    // Use PKCS11 to Find a Specific Certificate
    // Use PKCS11 to Find a Certificate with a Specified Key Usage

    // Once you have the desired certificate, pass it to SetSslClientCert.
    // Set the certificate to be used for mutual TLS authentication
    // (i.e. sets the client-side certificate for two-way TLS authentication)
    Get pvComObject of hoCert to vCert
    Get ComSetSslClientCert Of hoHttp vCert To iSuccess
    If (iSuccess <> True) Begin
        Get ComLastErrorText Of hoHttp To sTemp1
        Showln sTemp1
        Procedure_Return
    End

    // At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
    // connection will automatically use it if the server demands a client-side cert.


End_Procedure