2

I've set up a WebAPI service to require https and open to accept a client certificate. The SSL part is working fine. I'm using the WebRequestHandler to attach a certificate (a real one, not test cert) to the request, but when I access request.GetClientCertificate in the WebAPI controller, the certificate is null.

The ssl cert is bound to the port using "netsh http add sslcert" with the clientcertnegotiation=enable parameter.

I'm using IISExpress, and modified the applicationhost.config by adding <access sslFlags="Ssl, SslNegotiateCert" /> to the security node, and setting <clientCertificateMappingAuthentication enabled="true" /> under the authentication node.

I don't get any errors, just null.

My only clue is when I bring up the WebAPI in the browser, I'm prompted for a ClientCertificate, and the one I'm adding to the WebRequestHandler in code is not in the list.

What are the requirements for a certificate to be used as a client certificate? This question (IISExpress ClientCertificate Setup Steps) implies that may be my problem.

Community
  • 1
  • 1
Random
  • 1,896
  • 3
  • 21
  • 33

1 Answers1

1

To require certs you need to set SslRequireCert in addition to SslNegotiateCert. The mapping is typically not needed.

The requirement for client certs are that the issuer of that cert must a trusted issuer (from a service point of view) meaning in the "Trusted CA" list...and the issuer cert must include an intended purpose of "client authentication".

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • If I add SslRequireCert, my request doesn't even make it to the server. My cert isn't making it. And it does have client authentication with the purpose. – Random May 06 '13 at 16:51
  • Well - then you don't have a cert in the user store that is considered trusted by the server. Are you sure the CA cert is in the right store and all that? – leastprivilege May 06 '13 at 20:57
  • An old article I wrote: http://leastprivilege.com/2005/11/25/iis6-and-client-certificates/ – leastprivilege May 06 '13 at 20:58
  • That could be a clue. As I'd said, I get a dialog when I debug the server, but my certificates aren't in the dialog. The certificate I want to send has Client Authentication usage, but the root CA for it does not. However, I also created a test cert according to these instructions (http://msdn.microsoft.com/en-us/library/cc949057.aspx), and still get failure. FYI - I am not looking to have this work with Active Directory. This is a cert on a smart card. – Random May 07 '13 at 15:48