Client-side certificates are a way to more securely identify a user of a web application. VuGen supports client-side certificates, but there are one or two gotchas...

To use a certificate, you call web_set_certificate_ex function. This function can either use a certificate that is on the file system (using the CertFilePath argument), or a certificate that has been installed in Internet Explorer (using the CertIndex argument).

It is always preferred to reference a certificate file that is on the local filesystem, as referencing a certificate installed in Internet Explorer has several disadvantages:

  • If you are using it with LoadRunner, all virtual users will use the same certificate
  • If you are using it with a BPM script, the certificate is only available to the user account that you installed the certificate with. i.e. if you log in as "daniel" and install a certificate, but your BPM runs under the "system" account, then the script will not be able to reference the certificate.
  • If you have multiple BPMs, the certificate must be installed in the same order on each computer (so the CertIndex argument is the same on each).

Client-side certificates come in a variety of formats. VuGen supports PEM or ASN1 (sockets replay only, not WinInet), but certificates in other formats should be able to be converted to a usable format.

Digital certificate - .pfx file was supplied by technical team.
Steps required to get this to work:

1. Import certificate into IE -> Tools -> Internet Options -> Content -> Certificates.
Under Personal tab click import and find the .pfx file. Click Next and make sure you
click on "Mark this key as exportable..." then hit next again. Place the cert under

2. Export the cert, select to export the private key. Select include all certificates,
and uncheck strong protection. Leave password blank and export it as a pfx file.

3. In a dos prompt, go to LR bin directory and run:

\bin\openssl pkcs12 -in  -out \cert.pem 

Press  when prompted for import password.

Enter a PEM pass phrase, ie. 1234

You should now have a cert.pem file

Location of the ipsp.pem is place in the extracted script directory.
If you want to put the certificate somewhere else, you can provide a full
file path to the certificate. e.g. "C:\\BPM\\cert.pem"


If you have any other tips on using client-side certificates, please leave a comment.

Tech tips from JDS


I have recorded the script on my local machine; changed it to add basic authentication.
Script is working fine on my local machine but throwing below error while running it from Load Injector:

Error -27494: “InternetSetOption for INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT” failed (Windows error code=87) following an HttpSendRequest failure (Windows error code=12044) for URL=https://abc…

script is like:


// Create Base64 encoded string

b64_encode_string(“userid:pswd”, “BasicAuth” );

// Add HTTP Authorization header “Authorization: Basic XXXXXXXXXXXXXXXXXX==\r\n”
web_add_header(“Authorization”, lr_eval_string(“Basic {BasicAuth}”));

lr_start_transaction(“01 AutheticationViaSSG Correct Credentials”);


“EncType=text/xml; charset=\”UTF-8\””,

can you please help.

vardhan patil

Does client certificate requires private or public key??


I tried this option and I am able to record now and login into the client, however after recording when the script is generated it asks for the cert and while rerunning the script I get an error “MERR-26612” and “MMSG-26388”


We are doing web service scripting using 2-Way SSL. I can open WSDL url in IE after giving private key.

While importing same URL in LR 11 (Web Service Protocol), we are getting error “The specified WSDL may be incompatible with the selected toolkit. Try using different toolkit”

For HTTP protocol we are getting “Error -27770: Cannot set Key File for certificate”



Thanks for pointing that out the typo. They are infact the same file. I’ll make the correction shortly.


Rufeng Xu-Friedman

Excellent. Thanks.

Just have one question. On the command line, you have the file name as cert.pem. In the example, you have it as ipsp.pem. Are you referring to the same file? Or there is another file created called ipsp.pem?