Secure PFX password for CertificateEnrollmentManager

Question

I have the need to connect to a server that requires client authentication. Without much help of the MSDN docs I figured it out eventually and can connect to the server now.

var certQuery = new Certificates.CertificateQuery();
            certQuery.friendlyName = "My Cert";
            Certificates.CertificateStores.findAllAsync(certQuery)
            .then(function(certs) {
              if (!certs.length) {
                return Windows.ApplicationModel.Package.current.installedLocation.getFileAsync("cert.pfx")
                .then(Windows.Storage.FileIO.readBufferAsync)
                .then(function(buffer) {
                  return WinJS.Promise.as(Windows.Security.Cryptography.CryptographicBuffer.encodeToBase64String(buffer));
                })
                .then(function(cert) {              
                  return Certificates.CertificateEnrollmentManager.importPfxDataAsync(cert, "XXXXX", 
                    Certificates.ExportOption.exportable,
                  Certificates.KeyProtectionLevel.noConsent, Certificates.InstallOptions.none, "My Cert");
                })
              }
            })
            .then(function() {
              WinJS.xhr({
                url: "https://url.com:8443/rest/me"
              }).then(function onComplete(response) {
                console.trace("OK");
              }, function onError(response) {
                console.error(response);
              });
            });

However, I do not like to have the PFX password in the JS source. Are there any other options? Since the app will only be installed as side-loaded I think it would be possible to deploy the PFX via the Domain Server policies or something?

Answer 1

I'm wondering if you could use the PasswordVault for this scenario:

http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordvault.aspx

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 2

I would still have to save the password in plain sight in the JS code for that.

Answer 3

A possible solution: write a C# component that utilizes the DataProtectionProvider:
http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.dataprotection.dataprotectionprovider.aspx

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.