14

I have a p12 certificate, that I load it in this way:

X509Certificate2 certificate = new X509Certificate2(certName, password,
        X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet |
        X509KeyStorageFlags.Exportable);

It is loaded correcty, in fact If i do certificate.PrivateKey.ToXmlString(true); it returns a complete xml without errors. But If I do:

try
{
    X509Chain chain = new X509Chain();
    var chainBuilt = chain.Build(certificate);
    Console.WriteLine("Chain building status: "+ chainBuilt);

    if (chainBuilt == false)
        foreach (X509ChainStatus chainStatus in chain.ChainStatus)
            Console.WriteLine("Chain error: "+ chainStatus.Status);
}
catch (Exception ex)
{
    Console.WriteLine(ex);
}

it writes:

Chain building status: False
Chain error: RevocationStatusUnknown 
Chain error: OfflineRevocation

so when I do:

        ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
    ServicePointManager.Expect100Continue = true;
    Console.WriteLine("connessione a:" + host);
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
    req.PreAuthenticate = true;
    req.AllowAutoRedirect = true;
    req.ClientCertificates.Add(certificate);
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    string postData = "login-form-type=cert";
    byte[] postBytes = Encoding.UTF8.GetBytes(postData);
    req.ContentLength = postBytes.Length;
    Stream postStream = req.GetRequestStream();
    postStream.Write(postBytes, 0, postBytes.Length);
    postStream.Flush();
    postStream.Close();

    WebResponse resp = req.GetResponse();

the server says that the certificate is not sent/valid.

My question is:

  • how can I sent the certificate even with chain build false?
  • there is another class to post a certificate that does not check the certificate validation before send it?

many thanks. Antonino

Perry
  • 1,113
  • 2
  • 10
  • 22
  • Does the web server trust the issuer of your client certificate? If not, the web server will reject the client certificate. – sly Sep 16 '16 at 15:46
  • Yeah, I forgot to mention that if I add the certificate to user certificates and I try to connect with internet explorer the connection works. – Perry Sep 16 '16 at 16:49
  • I tested your code using a PKCS12 (.pfx) certificate containing a private key and it was successful – sly Sep 16 '16 at 17:07
  • mine is a p12 file. was you able to connect with the certificate? It is installed in user certificate key set or in the computer key set? (I have windows in italian, I am not sure about the terms) – Perry Sep 17 '16 at 06:27
  • Yes, I was able to connect with the certificate which is installed in the current user store. Since it works in IE, try exporting the certificate with the private key from IE to .pfx [Export Certificates (Windows)](https://support.comodo.com/index.php?/Knowledgebase/Article/View/1004/66/export-certificates-windows), then reference that exported .pfx file from your code. – sly Sep 19 '16 at 03:05
  • nothing, even with the pfx certificate, no chance to login. The strange thing is if I remove the certificate, commenting `req.ClientCertificates.Add(certificate);` the connection log is the same in fiddler...so looks like this line is not useful. – Perry Sep 19 '16 at 13:18
  • I tried commenting out the line `req.ClientCertificates.Add(certificate);` in my command-line program but it throws an exception. See if you can create a command-line program with the same code to see if at least the exported pfx certificate works. I've provided the modified code as an answer below. Also, if you're getting an exception please provide the stack trace. – sly Sep 19 '16 at 14:11

4 Answers4

31

I resolved the problem, The point is that a P12 file (as a PFX) contains more then 1 certificate, so it must be loaded in this way: 

X509Certificate2Collection certificates = new X509Certificate2Collection();
certificates.Import(certName, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

and added to a HttpWebRequest in this way: request.ClientCertificates = certificates;

Thanks everybody for support.

COMPLETE SAMPLE CODE

string host = @"https://localhost/";
string certName = @"C:\temp\cert.pfx";
string password = @"password";

try
{
    X509Certificate2Collection certificates = new X509Certificate2Collection();
    certificates.Import(certName, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

    ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
    req.AllowAutoRedirect = true;
    req.ClientCertificates = certificates;
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    string postData = "login-form-type=cert";
    byte[] postBytes = Encoding.UTF8.GetBytes(postData);
    req.ContentLength = postBytes.Length;

    Stream postStream = req.GetRequestStream();
    postStream.Write(postBytes, 0, postBytes.Length);
    postStream.Flush();
    postStream.Close();
    WebResponse resp = req.GetResponse();

    Stream stream = resp.GetResponseStream();
    using (StreamReader reader = new StreamReader(stream))
    {
        string line = reader.ReadLine();
        while (line != null)
        {
            Console.WriteLine(line);
            line = reader.ReadLine();
        }
    }

    stream.Close();
}
catch(Exception e)
{
    Console.WriteLine(e);
}
Perry
  • 1,113
  • 2
  • 10
  • 22
  • thank you for this. I helped me a lot. Is there a way to add the certificate from the certificate store, rather than specify an actual file? I used to do this with WINHTTP.DLL, with this line of code : " m_ServerObj.SetClientCertificate "LOCAL_MACHINE\My\certname" – yaronkl Jul 27 '17 at 09:09
  • Works fine until you have to use the certificate on another machine then you get an error that the password is incorrect. Any idea why that might happen? – Scott Wilson Mar 10 '22 at 20:59
3

I created a command-line program using a modified version of your code with a pfx cert containing the private key exported from IE and I'm able to authenticate to a secure website and retrieve protected pages:

string host = @"https://localhost/";
string certName = @"C:\temp\cert.pfx";
string password = @"password";

try
{
    X509Certificate2 certificate = new X509Certificate2(certName, password);

    ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
    ServicePointManager.Expect100Continue = true;
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
    req.PreAuthenticate = true;
    req.AllowAutoRedirect = true;
    req.ClientCertificates.Add(certificate);
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    string postData = "login-form-type=cert";
    byte[] postBytes = Encoding.UTF8.GetBytes(postData);
    req.ContentLength = postBytes.Length;

    Stream postStream = req.GetRequestStream();
    postStream.Write(postBytes, 0, postBytes.Length);
    postStream.Flush();
    postStream.Close();
    WebResponse resp = req.GetResponse();

    Stream stream = resp.GetResponseStream();
    using (StreamReader reader = new StreamReader(stream))
    {
        string line = reader.ReadLine();
        while (line != null)
        {
            Console.WriteLine(line);
            line = reader.ReadLine();
        }
    }

    stream.Close();
}
catch(Exception e)
{
    Console.WriteLine(e);
}
sly
  • 300
  • 1
  • 5
  • This code is pretty the same of mine, but it does not work, and I don't understand why... I tried to add the log, and the certificate is sent. So maybe the IBM server is more restrictive than others... – Perry Sep 20 '16 at 07:59
2

The problem is that you install private key to machine store which is not generally allowed to use for client authentication for processes that doesn't run under local system account or have explicit private key permissions. You need to install the key in the current user store:

X509Certificate2 certificate = new X509Certificate2(certName, password,
        X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet |
        X509KeyStorageFlags.Exportable);
Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • I am not sure I can install the certificate in the IIS user, but go on **setting**, **computer certificate**, on the certificate I press right-click and **all activities**, **manage private key**, and added the IIS_USER to complete control and read. – Perry Sep 17 '16 at 05:45
  • But it would be incorrect. You really should install client authentication certificates in the user store. – Crypt32 Sep 17 '16 at 06:51
  • I tried with the certificate installed in the current user store, and with UserKeySet flag, the problem is that Internet explorer successful access, My program does not :( – Perry Sep 17 '16 at 07:06
0

I was trying to use a self-signed certificate whose only purpose was "Server certificate" as a client certificate using the following code:

        HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://serverurl.com/test/certauth");
        X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadWrite);
        var certificate = store.Certificates.Find(X509FindType.FindByThumbprint, "a909502dd82ae41433e6f83886b00d4277a32a7b", true)[0];
        request.ClientCertificates.Add(certificate);
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

What I learned was that .NET Framework will accept such a certificate as a client certificate, but .NET Core will not (see https://github.com/dotnet/runtime/issues/26531).

There are two solutions:

  1. Switch to .NET Framework
  2. Generate a new self-signed certificate that has a purpose / Enhanced Key Usage = Client certificate. Then the code will work in Core as well.
Anders
  • 1,401
  • 3
  • 16
  • 20