X509/SSL Certificate : The request was aborted: Could not create SSL/TLS secure channel

Question

I am using X509 certificate to enable HTTPS connection with the remote server to consume web services.

When I make a call to URL( https://abc:xyz ) in the chrome browser It shows up a select certificate popup with the certificate details, I select the certificate and click ok then the WSDL is displayed in the chrome browser window but in the IE and other browsers it is not happening as expected.

I ma trying to trace the connection request details using System.Net, it captures the following details,

System.Net Information: 0 : [18048] ConnectStream#2057527 - Sending headers
{
Content-Type: application/soap+xml; charset=utf-8
VsDebuggerCausalityData: uIDPo94MQgusWbZIjUgfCLAP3K4AAAAAIHoKeK7mt0Oc7fMoLLczM4ReHSdTHDFCmbHXDnli+jsACQAA
Host: abc:xyz
Content-Length: 1453
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
}.
System.Net Information: 0 : [18048] SecureChannel#51438198::.ctor(hostname=abc:xyz, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [18048] Enumerating security packages:
System.Net Information: 0 : [18048]     Negotiate
System.Net Information: 0 : [18048]     NegoExtender
System.Net Information: 0 : [18048]     Kerberos
System.Net Information: 0 : [18048]     NTLM
System.Net Information: 0 : [18048]     TSSSP
System.Net Information: 0 : [18048]     pku2u
System.Net Information: 0 : [18048]     WDigest
System.Net Information: 0 : [18048]     Schannel
System.Net Information: 0 : [18048]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [18048]     Default TLS SSP
System.Net Information: 0 : [18048]     CREDSSP
System.Net Information: 0 : [18048] SecureChannel#51438198 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [18048] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [18048] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = abc:xyz, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [18048] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=128, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [18048] Socket#50289903::Send()
System.Net.Sockets Verbose: 0 : [18048] Data from Socket#50289903::Send
System.Net.Sockets Verbose: 0 : [18048] 00000000 : 16 03 01 00 7B 01 00 00-77 03 01 5A 82 90 D8 AC : ....{...w..Z....
System.Net.Sockets Verbose: 0 : [18048] 00000010 : CD C6 8C BF D6 E9 D5 DB-22 1F B4 B6 AD 40 CF FE : ........"....@..
System.Net.Sockets Verbose: 0 : [18048] 00000020 : 31 00 8C 51 B8 D5 63 3C-46 92 43 00 00 0E C0 0A : 1..Q..c<F.C.....
System.Net.Sockets Verbose: 0 : [18048] 00000030 : C0 09 C0 14 C0 13 00 35-00 2F 00 0A 01 00 00 40 : .......5./.....@
System.Net.Sockets Verbose: 0 : [18048] 00000040 : 00 00 00 1D 00 1B 00 00-18 78 7A 74 2E 73 65 72 : .........
System.Net.Sockets Verbose: 0 : [18048] 00000050 : 76 69 63 65 73 2E 69 72-64 2E 67 6F 76 74 2E 6E : 
System.Net.Sockets Verbose: 0 : [18048] 00000060 : 7A 00 0A 00 08 00 06 00-1D 00 17 00 18 00 0B 00 : ...............
System.Net.Sockets Verbose: 0 : [18048] 00000070 : 02 01 00 00 23 00 00 00-17 00 00 FF 01 00 01 00 : ....#...........
System.Net.Sockets Verbose: 0 : [18048] Exiting Socket#50289903::Send()     -> Int32#128
System.Net.Sockets Verbose: 0 : [18048] Socket#50289903::Receive()
System.Net.Sockets Verbose: 0 : [18048] Data from Socket#50289903::Receive
System.Net.Sockets Verbose: 0 : [18048] 00000000 : 15 03 01 00 02                                  : .....
System.Net.Sockets Verbose: 0 : [18048] Exiting Socket#50289903::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [18048] Socket#50289903::Receive()
System.Net.Sockets Verbose: 0 : [18048] Data from Socket#50289903::Receive
System.Net.Sockets Verbose: 0 : [18048] 00000005 : 02 28                                           : .(
System.Net.Sockets Verbose: 0 : [18048] Exiting Socket#50289903::Receive()  -> Int32#2
System.Net Information: 0 : [18048] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 99f5768:9a5fea0, targetName = abc:xyz, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [18048] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [18048] Socket#50289903::Dispose()
System.Net Error: 0 : [18048] Exception in HttpWebRequest#32233916:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [18048] Exception in HttpWebRequest#32233916::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..

What can be the reason and what scenarios we will see the specified error.

Update: I am worried about this message in particular SecureChannel#51438198::.ctor(hostname=abc:xyz, #clientCertificates=0, encryptionPolicy=RequireEncryption)

Answer 1

What is likely happening is that the browser doesn't have enough certificates in the store to create a complete chain of certificates to present to the server. This means that a root certificate, intermediate certificate or even the client certificate is missing. If the client certificate doesn't have a private key associated with it in the certificate store then you could also get this error.

So what you can do is to export the client certificate + private key and intermediate certificates + root certificate from your browser and then add them to the browser where the client certificate cannot be found.