14

I have a p12 certificate, that I load it in this way:

X509Certificate2 certificate = new X509Certificate2(certName, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

It is loaded correcty, in fact If i do certificate.PrivateKey.ToXmlString(true); it returns a complete xml without errors. But If I do:

try { X509Chain chain = new X509Chain(); var chainBuilt = chain.Build(certificate); Console.WriteLine("Chain building status: "+ chainBuilt); if (chainBuilt == false) foreach (X509ChainStatus chainStatus in chain.ChainStatus) Console.WriteLine("Chain error: "+ chainStatus.Status); } catch (Exception ex) { Console.WriteLine(ex); }

it writes:

Chain building status: False Chain error: RevocationStatusUnknown Chain error: OfflineRevocation

so when I do:

 ServicePointManager.CheckCertificateRevocationList = false; ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true; ServicePointManager.Expect100Continue = true; Console.WriteLine("connessione a:" + host); HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host); req.PreAuthenticate = true; req.AllowAutoRedirect = true; req.ClientCertificates.Add(certificate); req.Method = "POST"; req.ContentType = "application/x-www-form-urlencoded"; string postData = "login-form-type=cert"; byte[] postBytes = Encoding.UTF8.GetBytes(postData); req.ContentLength = postBytes.Length; Stream postStream = req.GetRequestStream(); postStream.Write(postBytes, 0, postBytes.Length); postStream.Flush(); postStream.Close(); WebResponse resp = req.GetResponse();

the server says that the certificate is not sent/valid.

My question is:

  • how can I sent the certificate even with chain build false?
  • there is another class to post a certificate that does not check the certificate validation before send it?

many thanks. Antonino

Improve this question
7
  • Does the web server trust the issuer of your client certificate? If not, the web server will reject the client certificate. Commented Sep 16, 2016 at 15:46
  • Yeah, I forgot to mention that if I add the certificate to user certificates and I try to connect with internet explorer the connection works. Commented Sep 16, 2016 at 16:49
  • I tested your code using a PKCS12 (.pfx) certificate containing a private key and it was successful Commented Sep 16, 2016 at 17:07
  • mine is a p12 file. was you able to connect with the certificate? It is installed in user certificate key set or in the computer key set? (I have windows in italian, I am not sure about the terms) Commented Sep 17, 2016 at 6:27
  • Yes, I was able to connect with the certificate which is installed in the current user store. Since it works in IE, try exporting the certificate with the private key from IE to .pfx Export Certificates (Windows), then reference that exported .pfx file from your code. Commented Sep 19, 2016 at 3:05

4 Answers 4

Reset to default
31

I resolved the problem, The point is that a P12 file (as a PFX) contains more then 1 certificate, so it must be loaded in this way: 

X509Certificate2Collection certificates = new X509Certificate2Collection(); certificates.Import(certName, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

and added to a HttpWebRequest in this way: request.ClientCertificates = certificates;

Thanks everybody for support.

COMPLETE SAMPLE CODE

string host = @"https://localhost/"; string certName = @"C:\temp\cert.pfx"; string password = @"password"; try { X509Certificate2Collection certificates = new X509Certificate2Collection(); certificates.Import(certName, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet); ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true; HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host); req.AllowAutoRedirect = true; req.ClientCertificates = certificates; req.Method = "POST"; req.ContentType = "application/x-www-form-urlencoded"; string postData = "login-form-type=cert"; byte[] postBytes = Encoding.UTF8.GetBytes(postData); req.ContentLength = postBytes.Length; Stream postStream = req.GetRequestStream(); postStream.Write(postBytes, 0, postBytes.Length); postStream.Flush(); postStream.Close(); WebResponse resp = req.GetResponse(); Stream stream = resp.GetResponseStream(); using (StreamReader reader = new StreamReader(stream)) { string line = reader.ReadLine(); while (line != null) { Console.WriteLine(line); line = reader.ReadLine(); } } stream.Close(); } catch(Exception e) { Console.WriteLine(e); }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thank you for this. I helped me a lot. Is there a way to add the certificate from the certificate store, rather than specify an actual file? I used to do this with WINHTTP.DLL, with this line of code : " m_ServerObj.SetClientCertificate "LOCAL_MACHINE\My\certname"
Works fine until you have to use the certificate on another machine then you get an error that the password is incorrect. Any idea why that might happen?
3

I created a command-line program using a modified version of your code with a pfx cert containing the private key exported from IE and I'm able to authenticate to a secure website and retrieve protected pages:

string host = @"https://localhost/"; string certName = @"C:\temp\cert.pfx"; string password = @"password"; try { X509Certificate2 certificate = new X509Certificate2(certName, password); ServicePointManager.CheckCertificateRevocationList = false; ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true; ServicePointManager.Expect100Continue = true; HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host); req.PreAuthenticate = true; req.AllowAutoRedirect = true; req.ClientCertificates.Add(certificate); req.Method = "POST"; req.ContentType = "application/x-www-form-urlencoded"; string postData = "login-form-type=cert"; byte[] postBytes = Encoding.UTF8.GetBytes(postData); req.ContentLength = postBytes.Length; Stream postStream = req.GetRequestStream(); postStream.Write(postBytes, 0, postBytes.Length); postStream.Flush(); postStream.Close(); WebResponse resp = req.GetResponse(); Stream stream = resp.GetResponseStream(); using (StreamReader reader = new StreamReader(stream)) { string line = reader.ReadLine(); while (line != null) { Console.WriteLine(line); line = reader.ReadLine(); } } stream.Close(); } catch(Exception e) { Console.WriteLine(e); }
Improve this answer

1 Comment

This code is pretty the same of mine, but it does not work, and I don't understand why... I tried to add the log, and the certificate is sent. So maybe the IBM server is more restrictive than others...
2

The problem is that you install private key to machine store which is not generally allowed to use for client authentication for processes that doesn't run under local system account or have explicit private key permissions. You need to install the key in the current user store:

X509Certificate2 certificate = new X509Certificate2(certName, password, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
Improve this answer

3 Comments

I am not sure I can install the certificate in the IIS user, but go on setting, computer certificate, on the certificate I press right-click and all activities, manage private key, and added the IIS_USER to complete control and read.
But it would be incorrect. You really should install client authentication certificates in the user store.
I tried with the certificate installed in the current user store, and with UserKeySet flag, the problem is that Internet explorer successful access, My program does not :(
1

I was trying to use a self-signed certificate whose only purpose was "Server certificate" as a client certificate using the following code:

 HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://serverurl.com/test/certauth"); X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadWrite); var certificate = store.Certificates.Find(X509FindType.FindByThumbprint, "a909502dd82ae41433e6f83886b00d4277a32a7b", true)[0]; request.ClientCertificates.Add(certificate); HttpWebResponse response = (HttpWebResponse)request.GetResponse();

What I learned was that .NET Framework will accept such a certificate as a client certificate, but .NET Core will not (see https://github.com/dotnet/runtime/issues/26531).

There are two solutions:

  1. Switch to .NET Framework
  2. Generate a new self-signed certificate that has a purpose / Enhanced Key Usage = Client certificate. Then the code will work in Core as well.
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.