Get a client certificate off of a DoD CAC Card

10.6k views Asked by At

I have a C application that uses LibCurl (LibCurl is a C API that makes an HTTP connection to a web server). Using LibCurl I need to download a file from an HTTPS server that requires a client certificate.

So far our technical solution works great.

My problem is that the client certificate that we need to use resides on a DoD CAC card. I need to be able to pull the client certificate off of the DOD CAC card (from within my C app) and either write it to a file or just reference the file on the CAC. This written or referenced file will then be specified as my client certificate in my HTTPS connection.

I do not know how to locate or reference the client certificate off the DoD CAC Card. Any help is very much appreciated. Thanks.

2

There are 2 answers

2
apollosoftware.org On BEST ANSWER

When activeClient publishes the CAC card certs to windows it should export the certs to the store. You may need to automate the exporting of the certificate from your local cert store to a file like .pfx or .p7b format. Maybe .cer, I don't know if that's possible. It'll need to be pwd protected.

I don't think you can do it directly from the CAC card without an intermediary middle layer (like the cert store).

0
o0knight0o On

This is the method for C# it may help with C I'm really not familiar with C code.

using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
private static X509Certificate GetClientCert()
{
  X509Store store = null;
  try
   {
    store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);

    var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Integration Client Certificate", true);
    if (certs.Count == 1)
    {
       var cert = certs[0];
       return cert;
    }
   }
   finally
   {
    if (store != null)
    store.Close();
   }

 return null;
}

The code to get and export the cert is

//This will bring up the selection prompt to select your cert


X509Certificate c = GetClientCert();


//The password should be the pin converted to a secure string variable.
//note the code above will not prompt for a pin if you want this you will have to build the prompt yourself.  It will only select the certificate.

c.Export(X509ContentType.Cert, securestring password);

The export method has various types to export to I am not sure if one will be the format you are referring to. This is something you will need to play with. I am not even sure you will be able to use those libraries in C but just in case you could I posted them.