Ensign
Ensign
248 views

SslHandshakeException throws when using embedded 'clientCertificate' setting in WebInspect API

I am trying to use embedded 'clientCertificate' setting with WebInspect remote API when creating a scan using '/webinspect/scanner/scans' POST request , and getting an error:

{ "Message": "SPI.Net.StateRequestor.RequestProcessor SPI.Net.Requestor.SSL.SslHandshakeException (0x80004005): Client Certificate is invalid. Reason: An unknown error occurred while processing the certificate", "Date": "2020-06-24T08:20:02.303", "Level": "Error", "Type": "LogMessageOccured" }

-------------

The above error is thrown in the scan logs when the scan is running against a website that requires PKI client cert for authentication. The issue exists in both version 19.2 and 20.1

Has anyone been able to make this work?

0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

First question I have is whether this works in the UI as a basic scan? This will rule out any issues outside of creating the scan via the API.

Second question is whether you are using a client certificate available in the Windows certificate store or the raw client certificate? If from the cert store, make sure you have defined the following:

  • IsGlobal - if true, look for StoreName in the Local Machine machine hive. Otherwise look for StoreName in the Current User hive.
  • StoreName - the system store name where the certificate is located. The predefined systems stores are: MY, Root, Trust, CA.
  • SerialNumber - the serial number that uniquely identifies the client certificate.
0 Likes
Ensign
Ensign

Thank you for quick feedback!

After more testing, we discovered that the embedded certificate and keystore based certificate features work as long as you are using a self-signed certificate. The feature doesn't seem to work if the signing cert is separate and is stored separately. The REST api POST '/webinspect/scanner/scans' call throws SslHandshakeException when we're not using a self signed certificate.

Do you have any guidance on how to package the PFX file so that we have the trust chain included and allow the REST API to validate the cert?

Thanks

0 Likes
Ensign
Ensign

Waiting to hear for any updates regarding WebInspect API Remote Controller embedded ClientCertificate functionality
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.