Login/Register
Force HttpWebRequest to send client certificate
Asked Answered
Solved c#httpwebrequestx509certificate
A

4

14

I have a p12 certificate, that I load it in this way:

X509Certificate2 certificate = new X509Certificate2(certName, password,
        X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet |
        X509KeyStorageFlags.Exportable);

It is loaded correcty, in fact If i do certificate.PrivateKey.ToXmlString(true); it returns a complete xml without errors. But If I do:

try
{
    X509Chain chain = new X509Chain();
    var chainBuilt = chain.Build(certificate);
    Console.WriteLine("Chain building status: "+ chainBuilt);

    if (chainBuilt == false)
        foreach (X509ChainStatus chainStatus in chain.ChainStatus)
            Console.WriteLine("Chain error: "+ chainStatus.Status);
}
catch (Exception ex)
{
    Console.WriteLine(ex);
}

it writes:

Chain building status: False
Chain error: RevocationStatusUnknown 
Chain error: OfflineRevocation

so when I do:

        ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
    ServicePointManager.Expect100Continue = true;
    Console.WriteLine("connessione a:" + host);
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
    req.PreAuthenticate = true;
    req.AllowAutoRedirect = true;
    req.ClientCertificates.Add(certificate);
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    string postData = "login-form-type=cert";
    byte[] postBytes = Encoding.UTF8.GetBytes(postData);
    req.ContentLength = postBytes.Length;
    Stream postStream = req.GetRequestStream();
    postStream.Write(postBytes, 0, postBytes.Length);
    postStream.Flush();
    postStream.Close();

    WebResponse resp = req.GetResponse();

the server says that the certificate is not sent/valid.

My question is:

  • how can I sent the certificate even with chain build false?
  • there is another class to post a certificate that does not check the certificate validation before send it?

many thanks. Antonino

Albedo answered 16/9, 2016 at 10:15 Comment(7)
Does the web server trust the issuer of your client certificate? If not, the web server will reject the client certificate.Forespent
Yeah, I forgot to mention that if I add the certificate to user certificates and I try to connect with internet explorer the connection works.Albedo
I tested your code using a PKCS12 (.pfx) certificate containing a private key and it was successfulForespent
mine is a p12 file. was you able to connect with the certificate? It is installed in user certificate key set or in the computer key set? (I have windows in italian, I am not sure about the terms)Albedo
Yes, I was able to connect with the certificate which is installed in the current user store. Since it works in IE, try exporting the certificate with the private key from IE to .pfx Export Certificates (Windows), then reference that exported .pfx file from your code.Forespent
nothing, even with the pfx certificate, no chance to login. The strange thing is if I remove the certificate, commenting req.ClientCertificates.Add(certificate); the connection log is the same in fiddler...so looks like this line is not useful.Albedo
I tried commenting out the line req.ClientCertificates.Add(certificate); in my command-line program but it throws an exception. See if you can create a command-line program with the same code to see if at least the exported pfx certificate works. I've provided the modified code as an answer below. Also, if you're getting an exception please provide the stack trace.Forespent
A
31

I resolved the problem, The point is that a P12 file (as a PFX) contains more then 1 certificate, so it must be loaded in this way: 

X509Certificate2Collection certificates = new X509Certificate2Collection();
certificates.Import(certName, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

and added to a HttpWebRequest in this way: request.ClientCertificates = certificates;

Thanks everybody for support.

COMPLETE SAMPLE CODE

string host = @"https://localhost/";
string certName = @"C:\temp\cert.pfx";
string password = @"password";

try
{
    X509Certificate2Collection certificates = new X509Certificate2Collection();
    certificates.Import(certName, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

    ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
    req.AllowAutoRedirect = true;
    req.ClientCertificates = certificates;
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    string postData = "login-form-type=cert";
    byte[] postBytes = Encoding.UTF8.GetBytes(postData);
    req.ContentLength = postBytes.Length;

    Stream postStream = req.GetRequestStream();
    postStream.Write(postBytes, 0, postBytes.Length);
    postStream.Flush();
    postStream.Close();
    WebResponse resp = req.GetResponse();

    Stream stream = resp.GetResponseStream();
    using (StreamReader reader = new StreamReader(stream))
    {
        string line = reader.ReadLine();
        while (line != null)
        {
            Console.WriteLine(line);
            line = reader.ReadLine();
        }
    }

    stream.Close();
}
catch(Exception e)
{
    Console.WriteLine(e);
}
Albedo answered 20/9, 2016 at 16:59 Comment(2)
thank you for this. I helped me a lot. Is there a way to add the certificate from the certificate store, rather than specify an actual file? I used to do this with WINHTTP.DLL, with this line of code : " m_ServerObj.SetClientCertificate "LOCAL_MACHINE\My\certname"Axiomatic
Works fine until you have to use the certificate on another machine then you get an error that the password is incorrect. Any idea why that might happen?Erickson
F
3

I created a command-line program using a modified version of your code with a pfx cert containing the private key exported from IE and I'm able to authenticate to a secure website and retrieve protected pages:

string host = @"https://localhost/";
string certName = @"C:\temp\cert.pfx";
string password = @"password";

try
{
    X509Certificate2 certificate = new X509Certificate2(certName, password);

    ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
    ServicePointManager.Expect100Continue = true;
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
    req.PreAuthenticate = true;
    req.AllowAutoRedirect = true;
    req.ClientCertificates.Add(certificate);
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    string postData = "login-form-type=cert";
    byte[] postBytes = Encoding.UTF8.GetBytes(postData);
    req.ContentLength = postBytes.Length;

    Stream postStream = req.GetRequestStream();
    postStream.Write(postBytes, 0, postBytes.Length);
    postStream.Flush();
    postStream.Close();
    WebResponse resp = req.GetResponse();

    Stream stream = resp.GetResponseStream();
    using (StreamReader reader = new StreamReader(stream))
    {
        string line = reader.ReadLine();
        while (line != null)
        {
            Console.WriteLine(line);
            line = reader.ReadLine();
        }
    }

    stream.Close();
}
catch(Exception e)
{
    Console.WriteLine(e);
}
Forespent answered 19/9, 2016 at 14:9 Comment(1)
This code is pretty the same of mine, but it does not work, and I don't understand why... I tried to add the log, and the certificate is sent. So maybe the IBM server is more restrictive than others...Albedo
E
2

The problem is that you install private key to machine store which is not generally allowed to use for client authentication for processes that doesn't run under local system account or have explicit private key permissions. You need to install the key in the current user store:

X509Certificate2 certificate = new X509Certificate2(certName, password,
        X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet |
        X509KeyStorageFlags.Exportable);
Elfland answered 16/9, 2016 at 17:56 Comment(3)
I am not sure I can install the certificate in the IIS user, but go on setting, computer certificate, on the certificate I press right-click and all activities, manage private key, and added the IIS_USER to complete control and read.Albedo
But it would be incorrect. You really should install client authentication certificates in the user store.Elfland
I tried with the certificate installed in the current user store, and with UserKeySet flag, the problem is that Internet explorer successful access, My program does not :(Albedo
C
1

I was trying to use a self-signed certificate whose only purpose was "Server certificate" as a client certificate using the following code:

        HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://serverurl.com/test/certauth");
        X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadWrite);
        var certificate = store.Certificates.Find(X509FindType.FindByThumbprint, "a909502dd82ae41433e6f83886b00d4277a32a7b", true)[0];
        request.ClientCertificates.Add(certificate);
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

What I learned was that .NET Framework will accept such a certificate as a client certificate, but .NET Core will not (see https://github.com/dotnet/runtime/issues/26531).

There are two solutions:

  1. Switch to .NET Framework
  2. Generate a new self-signed certificate that has a purpose / Enhanced Key Usage = Client certificate. Then the code will work in Core as well.
Cerography answered 29/3, 2021 at 15:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.