HttpRequestMessage.GetClientCertificate() returns null in ASP Web API DelegatingHandler

Question

I have an ASP Web Api (.Net Framework 4.6.1) which accepts client certificates. The requirement is to send a custom validation message in the response of a request that has an invalid certificate. For example, if the certificate is missing I should send back "Client certificate is missing", if the OCSP validation fails, I should send back "Certificate has been revoked", etc. This is the code:

 public class CertificateMessageHandler : DelegatingHandler
{
        protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
            CancellationToken cancellationToken)
        {
             var certificate = request.GetClientCertificate();
        }
}

I have a client application where I select what certificate I want to use, and it does a request to the web api application (which is hosted on another machine). If the certificate is valid, then request.GetClientCertificates() returns the certificate, otherwise, if the certificate is expired or self-signed, request.GetClientCertificates() return null.

I have disable the automatic CLR validation by the IIS:

netsh http show sslcert
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 e104e... appid={4dc3e181-...} certstorename=My verifyclientcertrevocation=disable

I have set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443\DefaultSslCertCheckMode=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList=0

None of the above settings worked.

Note: a 3rd party that uses the web app might send a self-signed certificate and the business logic should reject the request for such certificates, therefore, the inclusion of the CA, that was used to sign the certificate, in the Trusted Root Store, isn't possible.

Any help is appreciated on how to get the client certificate from the request.

EDIT: it seems that the module "IIS Web Core" validates the certificate against the certificates store way before the request is "forwarded" by IIS to my application:

Answer 1

You could try to check the below settings:

set the iis SSL setting to accept:

and set below code in web.config file:

<iisClientCertificateMappingAuthentication enabled="true">
            </iisClientCertificateMappingAuthentication>

Edit:

Asp.net Core is a framework and Hostable Web Core (known as HWC) is a new concept in IIS to host a website/web services inside your own process. In short a smaller hosted version of IIS (an IIS express edition?). This is accomplished by making a LoadLibrary call to load hwebcore.dll (%systemdrive%\Windows\System32\inetsrv\hwebcore.dll)

Try to disable the Hostable Web Core feature by following below steps:

• Open control panel.

• Click on “Turn Windows features on or off” from the left pane.

• Locate Internet Information Services(IIS) Hostable Web Core from the list and uncheck the checkbox.

restart iis after doing changes.

https://blogs.iis.net/sukesh/iis7-hosted-web-core-custom-service-webcoreservice

refer this below links or more detail:

HttpRequestMessage.GetClientCertificate() returns null in Web API

How to use a client certificate to authenticate and authorize in a Web API

Client Authentication for WebAPI 2