locked
HttpClient with Client certificate and accepting all server certificates RRS feed

  • Question

  • Hello,

    my app connects to a server that some users have set up on their own. As such, some use SSL with self-signed server certificates and my app must accept them. I use this code and it works:

    var filter = new Windows.Web.Http.Filters.HttpBaseProtocolFilter();
    
    filter.IgnorableServerCertificateErrors.Add(Windows.Security.Cryptography.Certificates.ChainValidationResult.Expired);
    filter.IgnorableServerCertificateErrors.Add(Windows.Security.Cryptography.Certificates.ChainValidationResult.Untrusted);
    filter.IgnorableServerCertificateErrors.Add(Windows.Security.Cryptography.Certificates.ChainValidationResult.InvalidName);
    
    
    Windows.Web.Http.HttpClient client = new Windows.Web.Http.HttpClient(filter);
    
     

    Now some users also have a client certificate which the Server has to accept. How can I do this?

    I have found this online:

    var clientcert = new HttpClientHandler
    {
      ClientCertificateOptions = ClientCertificateOption.Automatic
    };
    
    Windows.Web.Http.HttpClient client = new Windows.Web.Http.HttpClient(clientcert);

    However, now the constructor for the HttpClient does not use the filter I created. I therefore would have to choose between creating the HttpClient for accepting all server certificates or for presenting my own client certificate.

    How could I get both to work?

    Thursday, September 7, 2017 5:17 PM

Answers

  • Hi slimshady322,

    Firstly, you should get the certificates and display them in the UI, such as in a ListView or a ListBox control to make the user select, this is the sample code to query with a query  name, 

    Windows.Security.Cryptography.Certificates.CertificateQuery certQuery = new Windows.Security.Cryptography.Certificates.CertificateQuery(); certQuery.FriendlyName = "Test Certificate"; // This is the friendly name of the certificate that was just installed. IReadOnlyList<Windows.Security.Cryptography.Certificates.Certificate> certificates = await Windows.Security.Cryptography.Certificates.CertificateStores.FindAllAsync(certQuery);

    // TODO here you can display the certificates in the UI to make the User select.

    if (certificates.Count == 1) { Windows.Web.Http.Filters.HttpBaseProtocolFilter aBPF = new Windows.Web.Http.Filters.HttpBaseProtocolFilter(); aBPF.ClientCertificate = certificates[0]; // This line is required for Windows Phone 8.1 app Windows.Web.Http.HttpClient aClient = new Windows.Web.Http.HttpClient(aBPF); await aClient.GetAsync(...); } else { // typically you should only have a single certificate that matches the certificate search criteria and since you only installed one such certificate! }

    See the following blog and a similar thread,

    https://blogs.msdn.microsoft.com/wsdevsol/2014/07/31/programmatically-create-and-configure-a-client-certificate-for-use-in-your-windows-runtime-based-app/

    https://social.msdn.microsoft.com/Forums/en-US/067dc2b8-0ec4-492f-8aa3-050981aadc22/uwpclient-ssl-certificate-in-uwp?forum=wpdevelop

    Best regards,

    Breeze


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Breeze Liu Thursday, September 14, 2017 8:36 AM
    • Marked as answer by slimshady322 Friday, September 15, 2017 4:35 PM
    Friday, September 8, 2017 9:08 AM

All replies

  • Hi slimshady322,

    I think you have mixed up the HttpClient class in the Windows.Web.Http Namespace and System.Net.Http Namespace. The Windows.Web.Http Namespace provides a modern HTTP client API for Windows Store app, and classes in the System.Net.Http Namespace can be used to develop Windows Store apps or desktop apps, they are different. You can see the blog to learn how to use the both APIs, especially in Using Client Certificates part:
    https://blogs.windows.com/buildingapps/2015/11/23/demystifying-httpclient-apis-in-the-universal-windows-platform/

    Best regards,

    Breeze


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Edited by Breeze Liu Friday, September 8, 2017 6:01 AM
    Friday, September 8, 2017 5:59 AM
  • Thank you for your response.

    I had already found that article but I see now that I indeed mixed the two HttpClients up. I intent to use the Windows.Web.Http one and this seems to be fine with the code I already use with HttpBaseProtocolFilter.

    The article only mentions this concerning Client Certificates: "There are two options for authenticating using client certificate – the default is to present UI for the user to choose the certificate."

    How can I trigger this UI for the user to select a Client Certificate?

    Regards,

    Philipp

    Friday, September 8, 2017 8:37 AM
  • Hi slimshady322,

    Firstly, you should get the certificates and display them in the UI, such as in a ListView or a ListBox control to make the user select, this is the sample code to query with a query  name, 

    Windows.Security.Cryptography.Certificates.CertificateQuery certQuery = new Windows.Security.Cryptography.Certificates.CertificateQuery(); certQuery.FriendlyName = "Test Certificate"; // This is the friendly name of the certificate that was just installed. IReadOnlyList<Windows.Security.Cryptography.Certificates.Certificate> certificates = await Windows.Security.Cryptography.Certificates.CertificateStores.FindAllAsync(certQuery);

    // TODO here you can display the certificates in the UI to make the User select.

    if (certificates.Count == 1) { Windows.Web.Http.Filters.HttpBaseProtocolFilter aBPF = new Windows.Web.Http.Filters.HttpBaseProtocolFilter(); aBPF.ClientCertificate = certificates[0]; // This line is required for Windows Phone 8.1 app Windows.Web.Http.HttpClient aClient = new Windows.Web.Http.HttpClient(aBPF); await aClient.GetAsync(...); } else { // typically you should only have a single certificate that matches the certificate search criteria and since you only installed one such certificate! }

    See the following blog and a similar thread,

    https://blogs.msdn.microsoft.com/wsdevsol/2014/07/31/programmatically-create-and-configure-a-client-certificate-for-use-in-your-windows-runtime-based-app/

    https://social.msdn.microsoft.com/Forums/en-US/067dc2b8-0ec4-492f-8aa3-050981aadc22/uwpclient-ssl-certificate-in-uwp?forum=wpdevelop

    Best regards,

    Breeze


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Breeze Liu Thursday, September 14, 2017 8:36 AM
    • Marked as answer by slimshady322 Friday, September 15, 2017 4:35 PM
    Friday, September 8, 2017 9:08 AM