Client-side certificates are a way to more securely identify a user of a web application. VuGen supports client-side certificates, but there are one or two gotchas…
To use a certificate, you call web_set_certificate_ex function. This function can either use a certificate that is on the file system (using the CertFilePath argument), or a certificate that has been installed in Internet Explorer (using the CertIndex argument).
It is always preferred to reference a certificate file that is on the local filesystem, as referencing a certificate installed in Internet Explorer has several disadvantages:
- If you are using it with LoadRunner, all virtual users will use the same certificate
- If you are using it with a BPM script, the certificate is only available to the user account that you installed the certificate with. i.e. if you log in as “daniel” and install a certificate, but your BPM runs under the “system” account, then the script will not be able to reference the certificate.
- If you have multiple BPMs, the certificate must be installed in the same order on each computer (so the CertIndex argument is the same on each).
Client-side certificates come in a variety of formats. VuGen supports PEM or ASN1 (sockets replay only, not WinInet), but certificates in other formats should be able to be converted to a usable format.
/* Digital certificate - .pfx file was supplied by technical team. Steps required to get this to work: 1. Import certificate into IE -> Tools -> Internet Options -> Content -> Certificates. Under Personal tab click import and find the .pfx file. Click Next and make sure you click on "Mark this key as exportable..." then hit next again. Place the cert under Personal. 2. Export the cert, select to export the private key. Select include all certificates, and uncheck strong protection. Leave password blank and export it as a pfx file. 3. In a dos prompt, go to LR bin directory and run: \bin\openssl pkcs12 -in -out \cert.pem Press when prompted for import password. Enter a PEM pass phrase, ie. 1234 You should now have a cert.pem file Location of the ipsp.pem is place in the extracted script directory. If you want to put the certificate somewhere else, you can provide a full file path to the certificate. e.g. "C:\\BPM\\cert.pem" */ web_set_certificate_ex( "CertFilePath=cert.pem", "CertFormat=PEM", "KeyFilePath=cert.pem", "KeyFormat=PEM", "Password=1234", LAST);
If you have any other tips on using client-side certificates, please leave a comment.