How to add a custom certificate to a HTTPS request ?

Hi @lifalin2016,

I'm not well versed in this topic, but would this Q&A provide any leads on what you're trying to do? There's a bit more on the parameters of the HTTPCaller under Verify SSL Certificates. If that's not it, perhaps someone else from the Community will be able to chime in with some other ideas?

Unfortunately it has nothing to do with SSL, but with function certificates (FOCES).

Anyone?

@lifalin2016 Do you have any information on FOCES certificates? I couldn't find anything online as to how they might work with a webservice.

Ah, it looks like the "OCES" (FOCES = Function OCES) is a Danish denomination :-/

In reality it's a plain X.509 certificate as I understand it, used to sign requests (apart from the encrypted transport like SSL). If no certificate accompanies the initial request, a request for an authenticated request is returned by the server, and this is where the popup dialog comes up on my client. I want to skip that.

So my question is how to attach such an X.509 certificate to the initial HttpRequest to avoid this interactive back'n'forth. I have the certificate stored in a PKCS12 formatted file.

I only have two options in HttpCaller - headers and attachments. Which can I use ?

I know how to do it in C#, but I would very much like to hear about what's "under the hood" from someone at Safe, please?

Hi @lifalin2016,

I'm not entirely sure what you mean by "Upload Data" or "Upload From File". I don't see such options in the HttpCaller interface !??

Ah, they appear when you switch from GET to POST. Unfortunately this is not possible in this case.

After some digging around, it seems that the client certificate needs to be invoked when the connection is established, not for each request. This makes sense, I guess.

Unfortunately HttpCaller does not have any provisions for adding certificates to the connection to be established. And I'm a little unsure whether such a certified tunnel is reused across multiple HttpCaller's ?

I did read "Question of the week..." but I don't think it adresses my situation, only how to fetch tokens in token based services with url based parameters (and they're not hard to do).

I've looked into Python examples of creating secure connections, but the problem is of course keeping the context, so requests are made in that secure context across several transformers.

Does anyone have some insights into secure tunnels with FME ?

I also have the same issue, it would be good to extend HTTPCaller to cover this

@Lars I Nielsen​ I have the same issue. I was trying to get it work with the python caller. Unfortunately it does not work. It is possible to share the Python code?

Here's the core code of my trials. Substitute your own arguments in the relevant calls. You need seperate certificate and key files.

import socket
import ssl
 
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
# context = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
 
context.load_cert_chain(certfile=client_cert, keyfile=client_keys, password=client_pass)
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn = context.wrap_socket(s, server_side=False, server_hostname=host_name)
 
conn.connect((host_name, host_port))
 
# and then
req = "GET /api/{1} HTTP/1.1\r\nHost: {0}".format(host_name, test_page, host_port)
conn.send((req + "\r\n\r\n ").encode())  # send as bytes

Good luck. Cheers.