none
How to send a Client Certificate to a SSL host from a ASP.NET v4.0 host using WebClient RRS feed

  • Question

  • My ASP.NET application has to get information from another host over a SSL connection and pass a provided Client certificate as well. Works from my development machine when added to the certificate store, but I don't have that option on the server and must supply it via code (C# .NET 4.0).

    I have the client certificate user.p12 and password.  I load then in my application to a new X509Certificate (cert, password) with no complaints.

    If I get my ServicePoint from the ServicePointManager for my connection I see the ServicePoint.Certificate for the SSL there but no ServicePoint.ClientCertificate.

    When I do a packed trace on my internet connection I see the remote server ask for the Certificate Request but my server (the client here) sends an empty certificate, which of course the remote host does not like and drops the connection!!!! 

    I can't figure out where/how to tell the system to send my client certificate in code.  Can anyone help!!

    Thursday, March 26, 2015 3:32 PM

All replies

  • Hello Peter249,

    >> but I don't have that option on the server and must supply it via code (C# .NET 4.0).

    From your description, it seems that you are trying to create a SSL communication between your server side and client side. As far as I know, we need to install the certificate file in both client side and server side and if you are using server mode, for creating the SSL communication, we must import a certificate with the associated private key to the server machine's Personal store. For details, please check this link:

    SSLStream example - how do I get certificates that work?

    By the way, since you are working with a web project, it is recommended to post asp.net related issues to:

    http://www.asp.net/

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Friday, March 27, 2015 6:39 AM
    Moderator
  • Thanks Fred.

     I looked at the link, but this does not apply to me.

    The remote host that I need to communicate is not mine (us government thing).  That server requires three levels of protection.

    1) Standard SSL data encryption (standard root authorities -- This works fine).

    2) The remote server requests the client certificate.  This certificate is supplied to me with a password. If I install this on my development system it works.  The problem is when in production, I cannot install the certificate this way.  I tried attaching to the HttpWebRequest but does not work either. I need somehow to let the OS know to how to find this client certificate so the change from the standard root encryption to this private encryption can take place.

    3) Standard username/password authentication.  (This works fine).

    Thanks


    • Edited by Peter249 Friday, March 27, 2015 11:54 AM
    Friday, March 27, 2015 11:53 AM
  • Hello,

    >>The remote server requests the client certificate.  This certificate is supplied to me with a password. If I install this on my development system it works.  The problem is when in production, I cannot install the certificate this way.

    I suggest that you could try with server side authentication, then you do not need to send your cer file to the government thing. You could ask for the .cer file from the government thing and install it to your personal store.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, March 30, 2015 2:47 AM
    Moderator
  • Hi Fred,

    Well we are getting closer -- we are on the same stick, just different ends.....

    I did receive the client certificate for the government things server.  IIS/.NET require the certificate to be stored on Local Machine/MY store of my host.  The problem is this is a shared Web hosting platform and I do not have admin rights to install the client certificate in that store.  This is why I need some way to let the SslStream (or something like that) know about the private root certificate so the client certificate could be encrypted correctly.

    I am have a very bad idea that this may not be possible without a whole lot of code development to replace the system.net.security section of the .NET libarary :(.

    Regards

    Monday, March 30, 2015 11:41 AM
  • Hello,

    As far as I know, we need to install the .cer file to both client and server side.

    >> I am have a very bad idea that this may not be possible without a whole lot of code development to replace the system.net.security section of the .NET libarary :(.

    You could have a try since the .NET is open-source, however, it should not be easy done as you mentions.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, March 30, 2015 12:03 PM
    Moderator
  • Actually you should have right to store things in MY store. That's physically a folder in your user profile local folder. AFAIK, all IIS7 or later servers should have created separate "application pool identity user" for each application pools.

    You may want to try again. That's a lot more easier than implementing your own encryption channel. Btw, .NET SSL provider is just a wrapper over Windows API one so there's no code to copy from (it'll use those 2 certificate stores anyway). If you want to try implement secure channel yourself, I'd advise you check the source code of OpenSSH. Yes you need to port it but at least it's feasible.


    Tuesday, March 31, 2015 1:31 AM
    Answerer
  • The client is running under a IIS/ASP.NET application.  This uses the Local Machine store for certificates which require an admin privilege to access through code.

    The communication looks like this:

       Client Browser <--1--> My IIS Web Application <--2--> Remote web host

    The client certificate is required between My IIS web app and the Remote host.

    http://support.microsoft.com/en-us/kb/901183

    Thanks

    Tuesday, March 31, 2015 11:48 AM
  • If I understand correctly, your web application merely need to create connection to another server over HTTPS. You don't need to use the Local Machine store so admin right is not required.
    Wednesday, April 1, 2015 1:45 AM
    Answerer
  • Yes Cheong00 that's correct, except the second part.  The other server has 3 levels of protection required.

    1) Standard HTTPS (SSL) using standard root CA certificates (thawte).

    2) Then switches to a private client certificate and private root CA for SSL encryption.

    3) Then requires standard Username and Password.

    The problem is I need admin to store the private root CA into local machine in step # 2.  Without this private root CA the client certificate won't encode correctly.  I can't seem to find a way to specify this to the SSL logic through code.  I have/can embed the certificate into my code, but just can't figure how to have it used from code instead of the local certificate store.

    Thanks 

    Wednesday, April 1, 2015 10:13 AM
  • Haven't tried that, I have expected the client certificate is only needed to be signed by the remote server's root CA.

    The last time I'm required to use client certificate is on government environment where each and every machine (including workstations and servers) have the AD's cert server root CA installed so the validation goes without problem, so I don't know whether it works or not. If it isn't working, sorry to hear that.


    Wednesday, April 1, 2015 12:53 PM
    Answerer
  • Hi cheong00

    Yes it is a government environment that I am accessing.  It all works fine on my development system (because I have admin rights to add the private root CA).

    I'm thinking of moving to a un-shared web service (i.e. Virtual server) but this is 2.5 times the cost.

    regards

    Wednesday, April 1, 2015 2:32 PM
  • Sometimes, we want to reach a certain goal, we need to pay a certain price, in your case, I think these cost time is the price.


    Friday, April 3, 2015 10:25 AM