Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Accessing client certificates from an HTTP Request

Tags:

c#

security

asp.net

x509

mutual-authentication

I'm attempting to access a client certificate inside my web API from an HTTP request. I'm attaching a certificate as follows:

X509Certificate2 clientCert = GetClientCertificate();   
HttpWebRequest request  = (HttpWebRequest)WebRequest.Create("https://localhost:44366/test");                        
request.KeepAlive = true;
request.Method = "GET";
request.Accept = "application/json";
request.ClientCertificates.Clear();
request.ClientCertificates.Add(clientCert);
var response = (HttpWebResponse) request.GetResponse();

Where GetClientCertificate() accesses a locally-installed certificate. From inside my WebApi, I have the following route:

[HttpGet]
[Route("test")]
public HttpResponseMessage TestNoAuth()
{
    X509Certificate2 cert = Request.GetClientCertificate();
    return cert == null ? Request.CreateResponse(HttpStatusCode.BadRequest, "No cert") : Request.CreateResponse(HttpStatusCode.OK, "Cert attached");
}

No matter what I attempt, cert always comes back null. Am I attaching the certificate incorrectly, or trying to access it incorrectly? I've made an entirely new WebAPI with just this route for testing, to ensure there are no conflicting settings that might have been present in our development API. Any help would be greatly appreciated.

like image 725
Mason Avatar asked Dec 01 '16 20:12

Mason

People also ask

How do you check client certificates?

Chrome: Verifying that Your Client Certificate Is InstalledIn Chrome, go to Settings. On the Settings page, below Default browser, click Show advanced settings. Under HTTPS/SSL, click Manage certificates. In the Certificates window, on the Personal tab, you should see your Client Certificate.

How do I pass a client certificate to web API?

Using Client Certificates in Web API On the server side, you can get the client certificate by calling GetClientCertificate on the request message. The method returns null if there is no client certificate. Otherwise, it returns an X509Certificate2 instance.

1 Answers

Make sure your web.config correctly sets sslFlags to SslNegotiateCert:

  <system.webServer>
    <security>
        <access sslFlags="SslNegotiateCert" />
    </security>
  </system.webServer>

Without this setting any certificate attached to the request will be ignored, see this for details.

There is a great series of articles about using client certificates in .NET by Andras Nemes. In this one it's described in detail how to setup client certificats for local test usage.

like image 187
CodeFuller Avatar answered Sep 22 '22 20:09

CodeFuller
Sign in to Comment

Related questions

RaiseCanExecuteChanged COM Exception during Navigation?
Understanding the true behavior of the DispatcherPriority enum provided in WPF
UWP TextBox not respecting TwoWay binding when typing
What could be rate limiting CPU cycles on my C# WCF Service?
SmtpClient can't send; Thunderbird can
Correct usage of AntiForgery token in ASP.NET 5 in SPA application?
Factorial(s) of N numbers in for loop
ComponentSerializationService not deserializing all properties
C# - Free Offliine speech recognition library (SDK)
Passing data from view to partial view in MVC
Visual Studio MEF Extension - Force Margin Glyphs To Be Updated or Redraw
Azure web application suddenly gives 500 errors
Sendgrid: Send distinct mails to different recipients in one request
What is the themeResource for window's title text color?
failed to connect signalR error during websocket handshake code : 400
How to test with MediatR
SMO: restoring to a different DB, why db is null?
text/plain Media Type not being accepted for WebApi v2
What is the attribute in Xunit that's similar to TestContext in Visual studio tests?
How to get element dropped on Nestable List

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!