Client certificate is always null

Question

I have a certificate installed under Personal as well as Trusted Root Certification Authorities

Have tried using this bit of code to post to an endpoint:

public void Post()
    {
        try
        {
            var clientCert = LoadFromStore("MyThumbprint");
            var requestHandler = new WebRequestHandler();

            requestHandler.ClientCertificates.Add(clientCert);

            var client = new HttpClient(requestHandler)
            {
                BaseAddress = new Uri("https://localhost:44430/")
            };

            var response = client.GetAsync("api/test").Result;
            response.EnsureSuccessStatusCode();

            string responseContent = response.Content.ReadAsStringAsync().Result;
            Console.WriteLine(responseContent);
        }
        catch (Exception ex)
        {
            Console.WriteLine("Exception while executing the test code: {0}", ex.Message);
        }
    }

Upon inspection the .ClientCertificate property is always null.

 [Route("api/[controller]")]
public class TestController : Controller
{
    [HttpGet]
    public ActionResult<IEnumerable<string>> Get()
    {
        var clientCertInRequest = Request.HttpContext.Connection.ClientCertificate;
        if (clientCertInRequest != null) return Ok();

        return BadRequest("No certificate found");
    }

}

Wondering if anyone has come across this issue before or know a way around posting a certificate to webapi endpoint and be able to retrieve and validate?

Many thanks

Answer 1

.Net 6:

builder.WebHost.ConfigureKestrel(kestrel =>
{
    kestrel.ConfigureHttpsDefaults(https => https.ClientCertificateMode = ClientCertificateMode.AllowCertificate);
});

Older Versions:

return Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
            webBuilder.ConfigureKestrel(o =>
            {
                o.ConfigureHttpsDefaults(o => 
                o.ClientCertificateMode = 
                ClientCertificateMode.AllowCertificate);
            });
        });

Answer 2

1. Make sure you use real IIS and not express
2. Configure IIS so that it accepts certificates
   • IIS Client Certificate Mapping Authentication
   • Client Certificate Mapping Authentication
3. Configure mapped certificates in config or active directory
4. Try the request in the browser and see if a certificate selection dialog pops up
   • if not diagnose based on HTTP Error sub status code
   • if so run your code again

Answer 3

You must know, that on server-side in response certificate is depends on certificate type / certificate content. I had same issue, when I pushed self-signed certificate (generated locally in IIS): on server in request certificate was always null. But when I pushed normal (public) certificate , with chain hierarchy - I was surprised cause I received certificate!!

• example of IIS self-signed certificate

So I recommend to generate public certificate for the first time at free Certificate authorized centers, such as https://www.sslforfree.com/

• certificate example of current site

• Also I recommend you to look at MS source mode of System.Security.Cryptography.X509Certificates.x509certificate2 and other classes!