Creating a Digital Certificate for Betfair Login

During the writing of my book Programming for Betfair I tried to make things as simple as possible out of respect for newcomers to programming. I utilised the standard login procedure for Betfair, consisting of a username/password pair. However, when programming a new algorithmic trading platform for Betfair the most annoying aspect of the process is having to log into the servers every time you test the software. During the course of a day that is a lot of logging in, especially if you use two-factor authentication.

I have been requested by a reader to provide a tutorial for authentication with a digital certificate and so I have written this article. The process was a lot easier than I had imagined. For readers of my book I also provide code which replaces the LoginForm.

Firstly, I shall point out that the certificate that you will create will be self-signed so don't imagine that you are now a certification authority and can start handing out certificates to anyone. The certificates on your browser, which authenticate websites to you, are signed by trusted third-parties. These third-parties have gone through rigorous procedures to permit their certificates to be installed inside your browser. Your certificate will be self-signed and used only for authenticating your application to Betfair and nothing else.

Betfair trusts you to sign your own certificate for your own account and no more. It is up to the user of the certificate to ensure that their security had not been compromised. That means if your account has been broken into because you have allowed someone to gain access to your private key then you are at fault and not Betfair.

The Process of Creating a Self-Signed Digital Certificate

These instructions are for Windows users. If you use another operating system then it is up to you to decipher these instructions. I cannot provide any help with that.

1) Download the OpenSSL package from Shining Light Productions. Choose the topmost Win32 OpenSSL v*.*.* Light version of the software. I have a 64-bit operating system and running the 32-bit version of the software is not going to make any difference. OpenSSL provides all the tools for creating your own certificates.

2) After downloading the package (and virus checking it) install the application, as the installer suggests, at the root of your C: drive. If asked where to copy the OpenSSL DLLs then make sure they go into the Windows system directory. The final dialog of the installer asks if you want to make a donation. If you want to then do so but if you don't then make sure you untick the check box before clicking the Finish button otherwise you will be frog-marched off to the donation site. OpenSSL is now installed.

3) Click on your Windows menu and then right-click on Computer so that you can choose its Properties. You will then see a dialog, click on Advanced system settings on the left-hand side and the following dialog will be displayed. In Windows 10, Advanced System Settings can be found by right clicking the window on the task bar and selecting system in the menu.

Now click the Environment Variables button.


4) In the next dialog click on the New button in the System variables section, as in the following picture. Add the variable name OPENSSL_CONF, variable value C:\OpenSSL-Win32\bin\openssl.cfg and click the OK button. OpenSSL is now fully configured. If you use a different operating system to Windows 7 then consult Google.


5) Copy an updated openssl.cfg file from this link 

https://drive.google.com/open?id=0B1-pQWsdUuPtNHV1c0dRa292Qm8 

and replace the existing file in the C:\OpenSSL-Win32\bin directory. This new file commands OpenSSL to create a client side certificate rather than a server side certificate.

6) Now download this batch file 

https://drive.google.com/open?id=0B1-pQWsdUuPtYWt6MkxxelhtR0U

that I have created and which will automatically create a self-signed digital certificate for you. Once downloaded right-click the file and run it as an administrator. You won't be able to create a certificate unless you are doing so as an adminstrator.

A command line interpreter window will open during the process. At some point you will be requested to enter some data, as in the following example

Country Name (2 letter code) [AU]: - e.g. GB (for Great Britain) etc.
State or Province Name (Full Name) [Some-State]: - England or whatever
Locality Name (eg, city) []: - London or whatever
Organization Name (eg, company) [Internet Widgits Pty Ltd]: - leave blank and hit return
Organizational Unit Name (eg, section) []:- leave blank and hit return
Common Name (e.g. server FQDN or YOUR name) []: your real name as known by Betfair
Email Address []: the one known to Betfair

You are then asked for a password. I didn't bother and just hit return. This password would have to be included in your authentication which already includes your username and password pair. 

If asked for an optional company name then don't give one hit return.

And if asked for an export password, again don't give one and hit return and again for confirmation of the password.

When the process is complete you will see four new files in the C:\OpenSSL-Win32\bin directory; 

client-2048.crt - your digital certificate
client-2048.csr - a certificate signing request
client-2048.key - your private key
client-2048.p12 - used to authenticate your application to Betfair

Your certificate file will be given to Betfair and your P12 moved to the root at C:\ and used in the login process. Copies of all should be saved somewhere safe offline.

7) Now login to the Betfair website. At the top of the screen, click My Account and then My Betfair Account in the dropdown menu. You will then see another dropdown menu called My details. Click on this and then Security settings. You will then see your security settings page. Click on the Edit link next to Automated Betting Program Access. You can now browse to your client-2048.crt file and upload it to Betfair. After the upload make sure the status is set to On.

8) For readers of my book you will need to alter your code for automatic authentication thus

a) Create a new Module called Authentication.vb (Use the module creation in the book as reference) and add the following code to it (remembering to replace the red words with your details as appropriate). You will notice that the certificate location is expected to be in the root of the directory so you must move the P12 file that you created to there. If you want the P12 to be elsewhere then you must change the code.

Imports System.IO
Imports System.Net
Imports System.Text
Imports Newtonsoft.Json
Imports System.Security.Cryptography
Imports System.Security.Cryptography.X509Certificates

Module Authentication
 
  Public Sub Login()

    Try

      Dim postData As String = _
"username=YOUR_USERNAME&password=YOUR_PASSWORD"

      Dim cert As New X509Certificate2("C:\
client-2048.p12", "")

      Dim request As HttpWebRequest = _
WebRequest.Create("https://identitysso.betfair.com/api/certlogin")

      request.Method = "POST"
      request.ContentType = "application/x-www-form-urlencoded"
      request.Headers.Add("X-Application: YOUR_APPKEY")
      request.ClientCertificates.Add(cert)
      request.Accept = "application/json"

      Using dataStream As Stream = request.GetRequestStream()

        Using writer As New _
StreamWriter(dataStream, Encoding.[Default])
                    
          writer.Write(postData)
                
        End Using
            
      End Using

      Using stream As Stream = DirectCast(request.GetResponse(), _
HttpWebResponse).GetResponseStream()
                
        Using reader As New StreamReader(stream, Encoding.[Default])
                    
          Dim loginResponse As LoginResponse = _
JsonConvert.DeserializeObject(Of LoginResponse)(reader.ReadToEnd())

          Form1.Print(loginResponse.sessionToken)

          SportsAPI.ssoid = loginResponse.sessionToken
          AccountsAPI.ssoid = loginResponse.sessionToken

        End Using

      End Using

      Catch ex As Exception
        Form1.Print(Now & " - Login Error: " & ex.Message)
      End Try

    End Sub

    'Class for non-interactive login
    Public Class LoginResponse
        Public sessionToken As String
        Public loginStatus As String
    End Class

End Module

Please ensure that "username=YOUR_USERNAME&password=YOUR_PASSWORD" does not contain any spaces. The Print statement above in blue is a test that will print out your ssoid on successful authentication. Delete or comment out this line after testing.

If you have yet to create the AccountsAPI module then comment out the line  AccountsAPI.ssoid = loginResponse.sessionToken and uncomment the line when you have created the module.

b) Now change the Form1_Load subroutine in Form1.vb as follows

    Private Sub Form1_Load(sender As Object, e As EventArgs) _
Handles MyBase.Load

        'LoginForm.Show()
        Login()
        initialise()


    End Sub


by commenting out the LoginForm.Show() statement as LoginForm.vb is no longer needed and then adding the call to the Login() subroutine in Authentication.vb, followed by the initialise() call that used to be in LoginForm.vb

You should now be able to access Betfair without having to type in your username/password pair. I recommend that you keep two-factor authentication on the manual login to the Betfair website as you cannot automatically login there. If there are any problems then let me know.

Note

The instructions in this article were tested in February 2017 and were found to be still working. If you can prove otherwise then I would be interested to know. Any problems are probably peculiar to your computer's set up and you should either contact the creators of the OpenSSL software or the wider OpenSSL community.

Further Reading


Programming for Betfair
A guide to creating sports trading applications, is now available on Amazon. You do not need any programming experience...

7 comments:

  1. As Rory says: At the end of createcert.bat script you are prompted for an "Export Password", it is not mentioned above and pressing enter to bypass seems to mean that the client-2048.p12 is never created. Do you have a fix foe this?

    ReplyDelete
    Replies
    1. The P12 is created when I bypass the Export Password.

      Delete
  2. I dont know what I'm doing wrong, but can't get this working. When I try to upload the "client-2048.crt" file to betfair, I get a big red X that says no SSL certificate uploaded.

    I also do not get a P12 file created as per the first persons comment here....dunno what gives :(

    ReplyDelete
    Replies
    1. If you have followed the instructions correctly then the problem can only be the installation of the software and your computer's interaction with it.

      Unfortunately, such a situation is out of my control and not something I can help with. You would have to seek help on an appropriate security forum.

      Delete
  3. Thank you so much for this tip, it was very helpful, thank you!

    ReplyDelete