Using local certificates by IIS

Question

I've developed Web API service, that makes request ot another Web API, that need a personal certificate.

When I developed this service on my local PC, I've just used HttpClient like this:

_handler = new HttpClientHandler() 
{ ClientCertificateOptions = ClientCertificateOption.Automatic };
_client = new HttpClient(_handler);

And my personal certificate was taken from my PC.

Then I wanted to publish my project to IIS 8 on Windows Server 2012 R2.

First I've installed all certificates on server and set up Application pool in IIS, IIS is launched by service user, but my API application use pool of my account (certificate is binded to it). But when I'm trying to make a request, I get an exception like this:

<InnerException>
<Message>An error has occurred.</Message>
<ExceptionMessage>An error occurred while sending the request.</ExceptionMessage>
<ExceptionType>System.Net.Http.HttpRequestException</ExceptionType>
<StackTrace/>
<InnerException>
<Message>An error has occurred.</Message>
<ExceptionMessage>
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
</ExceptionMessage>
<ExceptionType>System.Net.WebException</ExceptionType>
<StackTrace>
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
</StackTrace>
<InnerException>
<Message>An error has occurred.</Message>
<ExceptionMessage>
The remote certificate is invalid according to the validation procedure.
</ExceptionMessage>
<ExceptionType>
System.Security.Authentication.AuthenticationException
</ExceptionType>
<StackTrace>
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
</StackTrace>
</InnerException>
</InnerException>
</InnerException>

I think that my problem is that IIS can't use certificates, that I've installed on Windows Server.

How can I solve this?

Answer 1

The certificate must first of all be trusted, also access to reading the certificate can sometimes be a problem. check that IIS_IUSERS (app pool user) has read access:

A better solution might be to create a real certificate (non-selfsigned) especially if this is a public api.

Those no longer cost money, with services like let's encrypt and tools for IIS like win-acme (former lets-encrypt-win-simple) it will generate certificates for you for all bindings in your IIS but also has a lot of other options.

Answer 2

Use this before your call to HttpClient . Remember this code is only for development machines. DO not use this in production

ServicePointManager.ServerCertificateValidationCallback =
        delegate (
            object s,
            X509Certificate certificate,
            X509Chain chain,
            SslPolicyErrors sslPolicyErrors
        ) {
            return true;
        };