Tcl
Tcl
HTTPS Client Certificate using Smartcard or Token
See more HTTP Examples
Explains how to use a client certificate for HTTP TLS mutual authentication where the certificate and private key exists on an HSM (Smartcard or USB Token).Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
set http [new_CkHttp]
# To do HTTPS mutual authentication where the certificate and private key are stored
# on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
# and then pass the certificate object to the Http object's SetSslClientCert method.
# Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
# The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
# Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
# .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
set cert [new_CkCert]
# The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with
# an empty string argument. Chilkat will detect the HSM and will choose the most appropriate
# underlying means for accessing and loading the default certificate + key from the HSM.
# The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
# supports.
# For example:
# If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
CkCert_put_SmartCardPin $cert "12345678"
# To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
# When testing in this way, it's best to have only a single smartcard or token connected to the system.
set success [CkCert_LoadFromSmartcard $cert ""]
if {$success == 0} then {
puts [CkCert_lastErrorText $cert]
puts "Certificate not loaded."
delete_CkHttp $http
delete_CkCert $cert
exit
}
# If there are multiple certificates stored on the smartcard/token, then
# you can be more specific. See these examples:
# Load a Certificate from an HSM by Common Name
# Load a Certificate from an HSM by Serial Number
# It may be that you need to code at a lower level with a specific
# supported interface, such as PKCS11.
# See these examples:
# Use PKCS11 to Find a Specific Certificate
# Use PKCS11 to Find a Certificate with a Specified Key Usage
# Once you have the desired certificate, pass it to SetSslClientCert.
# Set the certificate to be used for mutual TLS authentication
# (i.e. sets the client-side certificate for two-way TLS authentication)
set success [CkHttp_SetSslClientCert $http $cert]
if {$success != 1} then {
puts [CkHttp_lastErrorText $http]
delete_CkHttp $http
delete_CkCert $cert
exit
}
# At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
# connection will automatically use it if the server demands a client-side cert.
delete_CkHttp $http
delete_CkCert $cert