0

I'm getting this error when using certificate based authentication with System.Net.Http.HttpClient in .Net Standard 2.0. This is not related to not using Tls1.2 as this answer would suggest.

var requestMessage = new HttpRequestMessage() {
    RequestUri = new Uri(new Uri(_configuration.Endpoint), "someendpoint"),
    Method = HttpMethod.Get
};
var handler = new HttpClientHandler {
    ClientCertificateOptions = ClientCertificateOption.Manual,
    SslProtocols = SslProtocols.Tls12,
};          
handler.ClientCertificates.Add(certificate);
handler.CheckCertificateRevocationList = false;
// this is required to get around untrusted self-signed certs
handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) => true;
var client = new HttpClient(handler);
requestMessage.Headers.Add("X-ARR-ClientCert", certificate.GetRawCertDataString());
var response = await client.SendAsync(requestMessage);

The client certificate is installed in the local computer My store.

The reason it happens is because I'm not running as Administrator, it works as expected under Administrator privileges. The question is, why?

Michael Brown
  • 1,585
  • 1
  • 22
  • 36
  • 1
    How was the client certificate created/installed and how are you getting your `certificate` instance? Perhaps the private key is only accessible to the Administrator user. If you have a pfx, try installing it in the current user personal store for the user you are trying to run as. And make sure you are retrieving the cert via `X509Store` class. – Dave M Nov 15 '19 at 01:09
  • You can also check `certificate.HasPrivateKey` – Dave M Nov 15 '19 at 01:11
  • Also, setting `ServerCertificateCustomValidationCallback` to always return true is **very very bad**. Please make sure this code never has any chance of being in production. You can at least pin the server cert thumbprint or something and check that and also don’t ignore other types of ssl errors that are possible besides untrusted roots. – Dave M Nov 15 '19 at 01:17
  • No that’s just being set due to testing self signed certificates. It’s for client auth which is backend service to service. The certificate has a private key and yes it says as such in the certificate. It’s stored in the local machine Root store and validated against its Issuing cert. It seems though that only Administrator has access to the private key, as if there is an ACL permission against it - I just can’t find any clear docs on this issue. – Michael Brown Nov 15 '19 at 07:59

0 Answers0