3

I have written a simple REST API endpoint that validates the received client certificate. The endpoint is configured with

<security mode="Transport">
  <transport clientCredentialType="Certificate" />
</security>

In code the received certificate is converted to a X509Certificate2; and from there it can be validated.

new X509Certificate2(HttpContext.Current.Request.ClientCertificate.Certificate)

The site is now hosted on IIS and from there it is configured that the certificate is required.

At the client side the certificate is added to the HttpClientHandler

var instance = new HttpClientHandler();
instance.ClientCertificates.Add(certificate);

This all works fine...

But now I want to add a second client certificate to the same request; and it looks like that should be supported.. because the HttpClientHandler.ClientCertificates is a collection. Therefore I added a second certificate to the request.

But how should both certificates be retrieved at the server side? Because the HttpContext.Current.Request.ClientCertificate.Certificate is not a collection.

Additional information: the reason for multiple client certificates is because I need to write a proxy kind of application that will be require certificate-A; but the real endpoint requires certificate-B. So the proxy application need to retrieve both.

EDIT

Ok, i know why this is impossible; however, some people insist I write it as "edit" and not as "answer" because it does not fix the issue. (some things are not fixable)

For as far I do now understand; You can give multiple certificates to the client handler, but the handler choose the right certificate (based on the information the server applies with the handshake) which certificate is used. I am not sure what information the server sends, and how the right certificate is chosen to setup the connection; However I am pretty sure only 1 client certificate is used/sent to setup the connection. To fix the underlaying issue; I need to supply the second certificate to the proxy in another way (perhaps as body data, or pre configured at the proxy side).

Leandro Bardelli
  • 10,561
  • 15
  • 79
  • 116
Doomic
  • 337
  • 2
  • 15

1 Answers1

0

Is not impossible, but is not possible inside the box. Don't forget that every certificate is attached to the communication, and the communication itself is indeed, a TCP/IP data transfer with a specific protocol. But this protocol in this case is open.
So:

you can read your certificate and write it inside the communication on your own header value. There is no limit here: Maximum on HTTP header values?

Of course you can attach it also to the content. You can make your content with a header and the real body, everything packged inside as body.

Then on the other side, you can read the certificate on the header, and compare and check it on the other side where the certificate is already installed (or not, maybe just in the right folder)

Basically is the same, but made by your own.

Note: This is only applicable if you control both side of the communication.

Leandro Bardelli
  • 10,561
  • 15
  • 79
  • 116
  • well, adding the second certificate as header.. is just another way around of what i said; supply it as body data. My question was however; can i add 2 certificates to the HttpClientHandler.ClientCertificates list and read them both at server level. Still believe that is imposible... Thanks however in putting effort in answering my question – Doomic Dec 07 '21 at 14:52
  • @Doomic no problem, I didn't see that part of your editing. Sorry! – Leandro Bardelli Dec 07 '21 at 14:58