SQL Server
SQL Server
HTTPS Client Certificate using Smartcard or Token
See more HTTP Examples
Explains how to use a client certificate for HTTP TLS mutual authentication where the certificate and private key exists on an HSM (Smartcard or USB Token).Chilkat SQL Server Downloads
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
DECLARE @hr int
-- Important: Do not use nvarchar(max). See the warning about using nvarchar(max).
DECLARE @sTmp0 nvarchar(4000)
DECLARE @success int
SELECT @success = 0
DECLARE @http int
EXEC @hr = sp_OACreate 'Chilkat.Http', @http OUT
IF @hr <> 0
BEGIN
PRINT 'Failed to create ActiveX component'
RETURN
END
-- To do HTTPS mutual authentication where the certificate and private key are stored
-- on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
-- and then pass the certificate object to the Http object's SetSslClientCert method.
-- Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
-- The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
-- Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
-- .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
DECLARE @cert int
EXEC @hr = sp_OACreate 'Chilkat.Cert', @cert OUT
-- The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with
-- an empty string argument. Chilkat will detect the HSM and will choose the most appropriate
-- underlying means for accessing and loading the default certificate + key from the HSM.
-- The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
-- supports.
-- For example:
-- If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
EXEC sp_OASetProperty @cert, 'SmartCardPin', '12345678'
-- To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
-- When testing in this way, it's best to have only a single smartcard or token connected to the system.
EXEC sp_OAMethod @cert, 'LoadFromSmartcard', @success OUT, ''
IF @success = 0
BEGIN
EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
PRINT 'Certificate not loaded.'
EXEC @hr = sp_OADestroy @http
EXEC @hr = sp_OADestroy @cert
RETURN
END
-- If there are multiple certificates stored on the smartcard/token, then
-- you can be more specific. See these examples:
-- Load a Certificate from an HSM by Common Name
-- Load a Certificate from an HSM by Serial Number
-- It may be that you need to code at a lower level with a specific
-- supported interface, such as PKCS11.
-- See these examples:
-- Use PKCS11 to Find a Specific Certificate
-- Use PKCS11 to Find a Certificate with a Specified Key Usage
-- Once you have the desired certificate, pass it to SetSslClientCert.
-- Set the certificate to be used for mutual TLS authentication
-- (i.e. sets the client-side certificate for two-way TLS authentication)
EXEC sp_OAMethod @http, 'SetSslClientCert', @success OUT, @cert
IF @success <> 1
BEGIN
EXEC sp_OAGetProperty @http, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
EXEC @hr = sp_OADestroy @http
EXEC @hr = sp_OADestroy @cert
RETURN
END
-- At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
-- connection will automatically use it if the server demands a client-side cert.
EXEC @hr = sp_OADestroy @http
EXEC @hr = sp_OADestroy @cert
END
GO