Skip to main content

Part of the handshake is described as:

Upon receiving the Server Hello containing the Client Certificate request & list of Distinguished CA names, the client will perform the following steps:

  • The client uses the CA list available in the SERVER HELLO to determine the mutually trusted CA certificates.
  • The client will then determine the Client Certificates that have been issued by the mutually trusted Certification Authorities.
  • The client will then present the client certificate list to the user so that they can select a certificate to be sent to the Server.

So the last part of this states the cert list is provided to the user so they can select the cert to sent to the server. In this case the user is FME. How does it select which cert to pass to the server?

 

Hi @robotix​ thank you for your question. I reached out to the team for some help on this one. Are you able to clarify what you are doing in FME?

Are you publishing a workspace to FME Server?

Using an FME Server web connection, for example from an HTTPCaller?

Using a transformer such as an FMEServerJobSubmitter?

Thanks, Daragh


Hello @daraghbroderick,

I was trying to communicate with a vendor API that required client authentication and required that the certificate be sent. This is in workspace published to FME server. I couldn't find a way for the HTTP caller to specify which certificate to grab. It kept trying to send the first cert with the right CA auth. Apparently there is some hidden magic in the way certificates are stored and retrieved in windows and with java.

I ended up using a python caller to specify the certificate to send with the request.

This is the basic syntax I used:

 

# import requests module

import requests

 

# Making a get request

requests.get('https://webaddress.org', cert=('/path/client.cert', '/path/client.key'))

 

I was then able to process the response in other transformations.

This matter is closed for me. It would be nice to know if there are alternative approaches though.

Thank you!


I ended up using a python caller to specify the certificate to send with the request.

This is the basic syntax I used:

 

# import requests module

import requests

 

# Making a get request

requests.get('https://webaddress.org', cert=('/path/client.cert', '/path/client.key'))

 

I was then able to process the response in other transformations.

 


Hi @robotix​ ,

 

I'm glad you have a workaround. We unfortunately don't have anything that can do this in the HTTPCaller yet, however, if this is important to you please post the idea for the "HTTPCaller to specify client certificates" on our Idea's page. Voted up ideas greatly impact which enhancements we work on next!


As I have the same need, and have not yet found an entry on the Idea's page, I added one..

 

https://community.safe.com/s/bridea/a0r4Q00000I0pb2QAB/httpcaller-to-specify-client-certificates

 

Please vote if you stumble upon this page...


Idea seems to have moved to
 

Again, have a client in need of this functionality, preferring it natively in FME.


Reply