GetClientCert is not picking up on IIS hosted api

Question

I tried to validate cert manually on WEB API. Issue is all time, GetClientCertificate just returns null.

            var certRequest= actionContext.Request.GetClientCertificate();
            certRequest == null ? "Certificate not found" : $"Certificate found";

IIS web site is like, https://testapi.web.com cert file that attached on SSL is appear as DNS=*.web.com . there is another cert file its on cert store and but, not mapped along with HTTPS binding. that DNS =cl-testapi.web.com

I tried to supply both the cert file from client call and each time, GetClientCertificate file received as null.

client side code:

var handler = new HttpClientHandler()
                {
                    SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2
                };
                handler.ClientCertificates.Add(new X509Certificate2(@"c:\testcert.cer"));
                
                var client = new HttpClient(handler);
                
                var data = new StringContent([xmlcontent], Encoding.UTF8, "application/xml");
                var result = client.PostAsync("https://testapi.web.com", data).GetAwaiter().GetResult();
                var resultString = result.Content.ReadAsStringAsync().GetAwaiter().GetResult();

Can any one suggest what is wrong on this.

verified, IIS has, "accept" as SSL setting. Also, both the cert files are valid and neighter is able to pick on server api while using 'GetClientCert'.

/////////// Tried with cert file to search on client cert store and attach,

var handler = new HttpClientHandler()
                {
                    SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2
                };
                X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
                store.Open(OpenFlags.ReadOnly);
                var certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, "thumbprintGUID COPIED FROM CLIENT CERT", false);
                handler.ClientCertificates.Add(certCollection[0]);
                var client = new HttpClient(handler);

//notes, certCollection[0].HasPrivateKey is false here.

Update: Now requesting using, PFX file and password. I can see, Private key exists is true. certCollection[0].HasPrivateKey is true here. But, GetClientCert is not received.

Answer 1

You can try to correct the permissions on the c:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys folder to solve the 10013 error.

1. Everyone Access: Special Applies to: This folder only
2. Network Service Access: Read & Execute Applies to: This folder, subfolders and files
3. Administrators Access: Full Control Applies to: This folder, subfolder and files
4. System Access: Full control Applies to: This folder, subfolder and files
5. IUSR Access: Full Control Applies to: This folder, subfolder and files