stackoom
  简体   繁体   中英

Use certificate when issuer is not is X509Store trusted roots for client authentication using Microsoft .NET framework

 原文  2014-01-31 18:53:09       c#/ .net/ ssl/ webclient

Question

While working on this question, I identified that the problem is slightly different than initially stated, so I am changing title and description

I'm trying to authenticate myself against WebService using my client certificate. I am using WebRequest for that purpose. I need to use self-signed certificate, without registering it in Windows X509 trusted root store.

The way I know if client certificate is presented or not is by examining request object on the server

I tried to use code from this question as a guidance. It doesn't work on .NET. Here is my code: 

            var certificate = new X509Certificate2(Properties.Resources.MyCert);
            HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
            req.ClientCertificates.Add(certificate);
            WebResponse resp = req.GetResponse();
            var stream = resp.GetResponseStream();

What I observe is that even though req.ClientCertificates does contain certificate with a valid private key, that certificate is never presented to server. I get no indication from WebClient that certificate is not used during handshake.

If I put certificate into "trusted root", the code will work (even when certificate is not in "personal").

My questions are:

  1. Since certificate is usable when it's placed in "trusted root", I assume it is likely due to policy or something of that kind. Is it possible to coerce .NET to ignore policy settings and use supplied client certificate during TLS negotiation?

  2. If abovementioned coercion is not possible, is there a call which will tell me ahead of time, that certificate I am about to use is not usable, and will be ignored? Alternatively, if such call is not available, could I make WebClient fail indicating a certificate error, instead of silently skipping over?

NOTE : I am aware that configuring certificates as described by Microsoft will work. This is NOT what I am looking for. I don't want to register potentially insecure certificate in trusted root, because this is potentially security hazard. I want to use cert on client without registering in store, or at least to get an exception indicating that certificate cannot be used. I realize that there can be multiple reasons why certificate cannot be used for a session, but there must be an exception, or at least some sort of indication on the client side that it cannot use specified cert. Instead, client simply doesn't present one.

1 answers

solution1
 1  2014-02-01 01:17:25

When you instantiate your X509Certificate2, is the PrivateKey property set? If it is null, you are missing the private key, meaning the SSL/TLS client will be unable to authenticate you.

Make sure you are loading the certificate from a PFX file (or similar) instead of a CER. These contain the private key, too. They are usually password protected for that purpose. See How to retrieve certificates from a pfx file with c#? for more info.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSL Certificate not in X509Store when uploaded to Azure Website Unable to Add certificate to X509Store How to correctly use X509Store? Prompt user for password when grabbing X509Certificate from X509Store? .NET core X509Store on linux Using a X509 Certificate in .Net Compact Framework for Client Authentication HTTPRequest How to use windows store certificate (X509Certificate2) in GRPC server using .Net framework 4.7? X509Certificate IssuedTo / IssuedBy for user display from X509Store Can't bind cert using netsh when importing it with X509Store client certificate authentication in https using X509Certificate2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM