[Owasp-webscarab] SSL Client certificates and MSCAPI

Rogan Dawes rogan at dawes.za.net
Wed Oct 20 11:06:53 EDT 2010

Here is a howto w.r.t using client certs in WebScarab.

Let me know if you have any questions.



SSL client certificates are a great way to provide mutual authentication
between client and server. Unfortunately, this makes inserting an
intercepting proxy in between a somewhat challenging task!

In order to successfully achieve this, the intercepting proxy needs to
use the client certificate to make the connection to the server, to
allow the mutual authentication to be performed.

There are a number of mechanisms for distributing and storing client
keys and certificates. Amongst them are PEM, DER, PKCS#12 (.p12 or .pfx)
for file based storage, hardware tokens (smart cards, USB tokens, etc),
and also the Windows Certificate Store.

In order to make these available to the proxy, one has to consider what
the proxy supports, and then try to get "from here to there".


WebScarab natively supports PKCS#12 format files containing the key and
certificate. If that is the format you have, great! Just keep in mind
that Java requires that the PKCS#12 file be protected by a password, and
will not accept a null password.


If the key/cert is stored in PEM or DER format, you can use openssl to
convert them into a PKCS#12 format file. Check the man page for details.

Hardware tokens, PKCS#11

If the cert is stored in a token, the only solution is to access it
using PKCS#11, which is a standard for accessing hardware tokens. This
feature requires a 1.5 JRE, since that was when PKCS#11 support was
introduced by Sun.

To enable support for the token, you need to have a PKCS#11 interface to
it, typically provided by the token vendor. This comes in the form of a
.dll or a .so dynamic library, which the JRE loads. So, first, you need
to have this library, and know the path to it.

To use it in WebScarab, use the Tools -> Certificates menu, then choose
"Add Key Store", PKCS#11, enter an arbitrary Name, provide the path of
the Library, and enter the password or pin required to access the token.
Click OK. This will then present a list of available keys and
certificates on the device. Choose the desired one, and select "Activate
Selected Alias". You will be prompted for another password, this is
typically the same as that used to access the token.

Windows Certificate Store, Exportable keys

If the certificate is stored in the Windows Certificate store, you MAY
be able to export the cert and key into a PKCS#12 format file. If the
key is marked as unexportable, this is not possible, and the final
solution must be used.

Windows Certificate Store, Unexportable keys

To access an unexportable key in the Windows Certificate Store, the most
effective solution found so far is to make use of a PKCS#11 <->
CryptoAPI bridge. This puts a PKCS#11 interface on top of the
Certificate Store, and allows Java access to the key. Such a bridge has
been implemented as p11-capi.dll (website at
http://thewalter.net/git/cgit.cgi/p11-capi/). A compiled version of
this, which may not match the sources available 100%, is available at
http://dawes.za.net/rogan/webscarab/p11-capi.dll, and has been confirmed
to work.

When loading the p11-capi DLL, no password is required. Simply leave
that field blank.

This MAY also work for hardware tokens that do not provide PKCS#11
drivers, but only Windows CAPI drivers.

"Microsoft CAPI Store"

When accessing the Tools -> Certificates menu item on a MS platform, you
may see the "Microsoft CAPI Store" keystore, which shows the
certificates available in the CAPI keystore. This feature does not work
reliably, and should be removed. Anyone using this successfully should
let me know, otherwise it may not be around for much longer.

More information about the Owasp-webscarab mailing list