SQL Server
SQL Server
HTTPS Mutual Authentication using Smartcard or Token
See more HTTP Examples
Explains how to do HTTP TLS mutual authentication using an HSM (Smartcard or USB Token).Chilkat SQL Server Downloads
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
DECLARE @hr int
-- Important: Do not use nvarchar(max). See the warning about using nvarchar(max).
DECLARE @sTmp0 nvarchar(4000)
DECLARE @success int
SELECT @success = 0
DECLARE @http int
EXEC @hr = sp_OACreate 'Chilkat.Http', @http OUT
IF @hr <> 0
BEGIN
PRINT 'Failed to create ActiveX component'
RETURN
END
-- To do HTTPS mutual authentication where the certificate and private key are stored
-- on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
-- and then pass the certificate object to the Http object's SetSslClientCert method.
-- Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
-- The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
-- Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
-- .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
DECLARE @cert int
EXEC @hr = sp_OACreate 'Chilkat.Cert', @cert OUT
-- The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with
-- an empty string argument. Chilkat will detect the HSM and will choose the most appropriate
-- underlying means for accessing and loading the default certificate + key from the HSM.
-- The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
-- supports.
-- For example:
-- If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
EXEC sp_OASetProperty @cert, 'SmartCardPin', '12345678'
-- To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
-- When testing in this way, it's best to have only a single smartcard or token connected to the system.
EXEC sp_OAMethod @cert, 'LoadFromSmartcard', @success OUT, ''
IF @success = 0
BEGIN
EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
PRINT 'Certificate not loaded.'
EXEC @hr = sp_OADestroy @http
EXEC @hr = sp_OADestroy @cert
RETURN
END
-- If there are multiple certificates stored on the smartcard/token, then
-- you can be more specific. See these examples:
-- Load a Certificate from an HSM by Common Name
-- Load a Certificate from an HSM by Serial Number
-- It may be that you need to code at a lower level with a specific
-- supported interface, such as PKCS11.
-- See these examples:
-- Use PKCS11 to Find a Specific Certificate
-- Use PKCS11 to Find a Certificate with a Specified Key Usage
-- Once you have the desired certificate, pass it to SetSslClientCert.
-- Set the certificate to be used for mutual TLS authentication
-- (i.e. sets the client-side certificate for two-way TLS authentication)
EXEC sp_OAMethod @http, 'SetSslClientCert', @success OUT, @cert
IF @success <> 1
BEGIN
EXEC sp_OAGetProperty @http, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
EXEC @hr = sp_OADestroy @http
EXEC @hr = sp_OADestroy @cert
RETURN
END
-- At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
-- connection will automatically use it if the server demands a client-side cert.
EXEC @hr = sp_OADestroy @http
EXEC @hr = sp_OADestroy @cert
END
GO