GetClientCertificate() returns null on validation of client cetificate

Question

I am trying to set up a Client certificate to work with a WebApi.

In the WebApi I have a AuthorizationFilterAttribute

public override void OnAuthorization(HttpActionContext actionContext)
{
    certificate = actionContext.Request.GetClientCertificate();
    if (certificate == null)
    {
       throw new ValidationException(1701, StatusTexts.AccessDenied1701);
    }

    ValidateCertififcate();

    base.OnAuthorization(actionContext);
}

My code to call the api is

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

var certifcates = store.Certificates.Find(X509FindType.FindBySerialNumber, "344da140810b30854f01a96c2035e05d", false);

var cert = certifcates[0];

HttpWebRequest Request = (HttpWebRequest)WebRequest.Create(url);
Request.ClientCertificates.Add(cert);
Request.Method = "GET";
Request.ServerCertificateValidationCallback +=
            delegate (object sender, X509Certificate certificate, X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
            {
                return true; // **** Always accept
            };
HttpWebResponse Response = (HttpWebResponse)Request.GetResponse();

I am using a IISExpress and I have altered my ..vs\config\applicationhost.config to have these lines

<iisClientCertificateMappingAuthentication enabled="true">
            </iisClientCertificateMappingAuthentication>

I switch between these two options

  <access sslFlags="SslNegotiateCert" />

and

<access sslFlags="Ssl" />

One returns null GetClientCertificate() and the other 'The request was aborted: Could not create SSL/TLS secure channel.'

I create my client certificate with this command

New-SelfSignedCertificate -Type Custom -Subject "CN=Jepsen,OU=UserAccounts,DC=corp,DC=contoso,DC=com" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=jepsen@contoso.com") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My"

And copied the certificate into the Trusted Root Certification Authorities

(still suspect this is where it goes wrong?)

I read this a (quite a few times) and tried the reg edit with no luck How to use a client certificate to authenticate and authorize in a Web API

Also read this IISExpress ClientCertificate Setup Steps

I tried using Fiddler and Postman, no luck.

Have you looked here: https://stackoverflow.com/questions/39528973/force-httpwebrequest-to-send-client-certificate? — Wiktor Zychla, Mar 27 '18 at 12:10
I had somewhat similar issue some time back where app pool account doesn't have sufficient privilege to read certificate from certificate store. — rahulaga-msft, Mar 27 '18 at 12:11
@RahulAgarwal I remember something about that too. But if the client code, console runs under my own account, should it not have my right then? — Jepzen, Mar 27 '18 at 12:15
I agree. That's why i didn't stressed much on comment :) so IIS express runs under your account ? — rahulaga-msft, Mar 27 '18 at 12:19
Ok it is solved. I tried exporting the certificate to pfx file and load like @WiktorZychla s link suggested. Put it as an answer I will accept — Jepzen, Mar 27 '18 at 12:24
@RahulAgarwal but does the ISSexpress need to have access to the private key? I dont get that — Jepzen, Mar 27 '18 at 12:24
Marked as a duplicate instead so that is clear to future readers. — Wiktor Zychla, Mar 27 '18 at 14:06

GetClientCertificate() returns null on validation of client cetificate

0 Answers0