Last post Jun 03, 2014 02:52 AM by rune007
May 08, 2014 05:35 AM|rune007|LINK
I work in an organisation where we need to make a REST request against an API exposed by some company
producing electronic equipment. My colleague has just gone on holiday, and left me with the task. I
am sorry that this question is quite broad, I can eventually split it into other threads if you
think so, but I am quite blank in this area and don't know how to proceed.
The company who exposes this API has written this in the documentation:
"Services API are RESTful with XML support. The request should be a standard HTTPS request on port
443 to an URL. The request should be made with GET method with, having a content type of
"application/xml;charset=UTF8". Each client should have an individual certificate, and the
certificate should be issued by the production company. The client shall provide its certificate as
part of the SSL handshake."
My colleague has left me a .zip folder with these files: FileOne.csr, FileOne.key, FileTwo.csr,
In the documentation are also some examples of a request and a response:
curl -v "https://<host>/api/someFuncionality?paraMeter=xxxxx&userId=xxxxxx" --cert cert.pem --key key.pem
<?xml version="1.0" encoding="UTF-8"?>
<ns:someFuncionalityResponse version="1" deviceCount="1"
<someFuncionalityDevice serialNumber="xxxxxxxx" prodNumber="xxxxxxxxx" locationCode="xxxxxxxxx"
Also in the documentation are some URLs, some for testing and some for production, e.g.:
Have I got what I need to start making these requests?
Can you point me to some C# tutorials to help me get started?
Do I have a certificate? Are some of the .csr / .key files the certificate?
Are there any good tools for playing around with this?
May 08, 2014 02:18 PM|damienBod|LINK
This post should help you
May 14, 2014 09:20 AM|rune007|LINK
Thank you for your reply.
Hm... apparently I don't have a certificate yet. They say at my organization that we are
waiting on some .crt files before we can proceed.
I will return to your link when I receive the .crt files and see how it can help me :)
May 21, 2014 09:24 AM|rune007|LINK
Ok, we have now received some .pem files and some URLs for test and production from the electronic company. My organization is going to make a GET request against this REST API web service of the the electronic company.
These .pem files are the certificates? Right?
Anybody can point me to a good C# code example on how to use this in code. So that we can make a succesful GET HTTP request against the REST web service, using the certificates.
I have tried to open the .pem files with notepad and inside they look like this:
Jun 03, 2014 02:52 AM|rune007|LINK
So we managed to get it working. These are the things we did: We made a pfx certificate with OpenSSL, it wasn't necessary for us to install the certificate we just put it in a folder in the app. The app which hosted the REST client was a WCF application,
deployed in IIS. It was necessary for the user identity of the app pool belonging to the hosting app to have read permissions on the folder storing the certificate.
1) CREATING A .PFX CERTIFICATE WITH OPENSSL FROM YOUR PrivateKey.key & Certificate.pem
Download Win32 OpenSSL v1.0.1h
Navigate to the same directory as openssl.exe
Examples of successful creations (It can be important that you paste your command in as one line, if your text has line breaks it can pose a problem):
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -out MyDirectory\certificate.pfx -inkey MyDirectory\PrivateKey.key -in MyDirectory\Certificate.pem
2) MAKE SURE THAT THE APP POOL FOR YOUR APP HAVE READ PERMISSIONS TO THE FOLDER WITH YOUR CERTIFICATE
Create an app pool for your app. Make sure that the app pool user identity (IIS APPPOOL\MyAppPool) for the app pool (MyAppPool) has permissions to read the certificate (Read permission to the
folder, where the certificate is located.)
APPLICATION POOLS IN IIS TUTORIALS
Application pools in IIS Part 82
Applications isolation using application pools in IIS Part 83
Application pools in IIS Security Part 84
The App Pool User has object names like: IIS APPPOOL\MyApp (Where MyApp is the name of the app pool.)
3) C# REST CLIENT IMPLEMENTATION
public HttpResponseDto MakeHttpsGetRequest(HttpRequestDto requestDto)
HttpResponseDto responseDto = new HttpResponseDto();
//Creating the X.509 certificate.
X509Certificate2 certificate = new X509Certificate2(requestDto.CertificatePath, requestDto.CertificatePassword);
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(requestDto.RequestUri);
//Set the Timeout.
request.Timeout = requestDto.TimeoutMilliseconds;
//Add certificate to request.
request.UserAgent = requestDto.UserAgent;
request.Method = "GET";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
responseDto.IsException = false;
catch (Exception ex)
responseDto.IsException = true;
responseDto.ExceptionType = ex.GetType().ToString();
responseDto.ExceptionMessage = ex.Message;
responseDto.ExceptionToString = ex.ToString();
//Used for debugging certificate path.
//responseDto.ExceptionMessage += " Certificate path: "+requestDto.CertificatePath;
if (ex.InnerException != null)
responseDto.ExceptionMessage += " InnerException: " + ex.InnerException.Message;
//It seems likes HttpWebRequest.GetResponse() throws an exception a to anyhthing else then a StatusCode 200, OK.
//"Generally HttpWebRequest treats all non-success (200) codes to be exceptions by design."
//So to (400) Bad Request, (404) Not Found, etc. HttpWebRequest.GetResponse() will, by default, throw a System.Net.WebException.
//WebException contains an HttpWebResponse object, (WebException.Response Property), with all the normal HTTP Response properties
//like: Headers, StatusCode, Message Body, etc. So we extract it below.
if (ex is WebException)
//Casting Exception to webException.
WebException webException = (WebException)ex;
//We can extract HttpWebResponse from WebResponse.
WebResponse webResponse = webException.Response;
if (webResponse != null)
//Casting WebException.Response to HttpWebResponse.
HttpWebResponse httpWebResponse = (HttpWebResponse)webException.Response;
//As discussed above, HttpWebRequest.GetResponse() throws an exception (WebException) to anyhthing else then a StatusCode 200.
//But we want to handle other exceptions out in the code, therefore we rethrow the exception if it's not WebException.